Basic HTTP Authentication & PHP-FastCGI

Igor Clark igor at
Thu Jul 24 12:46:09 MSD 2008


On 23 Jul 2008, at 19:09, mike wrote:

> On 7/23/08, Igor Sysoev <is at> wrote:
>> There is $remote_user variable, but there is no $remote_password.
> Okay, then you should be able to add in your fastcgi params
> fastcgi_param REMOTE_USER $remote_user;
> and it should pass it to PHP, only if the user is properly
> authenticated right? $remote_user is only populated if the
> authentication is passed, I assume.
> I don't think people typically need the password. They either need to
> choose to let the webserver handle auth, or the PHP/scripting language
> to handle it.
> re: Igor Clark - no, it won't be doing the auth twice. This is
> assuming nginx is doing all the auth stuff, you're simply passing the
> user to the script so you can grab the username.

The original question was "How would I pass the Basic HTTP  
Authentication user & password over to PHP to do the check?"

Meaning that if nginx was also doing auth, it would be 2 checks, and  
all Philip needed was HTTP_AUTHORIZATION header, as has been stated.

But sure, in the case you describe, the auth is only done by nginx.

> If you need more flexibility and password info, I'd suggest going a
> pure PHP route then.
> (Also I assume that if $remote_user is not set - because it's not
> under an authed directory, or it's an invalid password/etc, that it
> will not show an error, but just pass an empty REMOTE_USER string - so
> your PHP app would want to understand a non-existent
> $_SERVER['REMOTE_USER'] or an empty one means invalid auth)

Igor Clark • POKE • 10 Redchurch Street • E2 7DD • +44 (0)20 7749 5355  

More information about the nginx mailing list