Basic HTTP Authentication & PHP-FastCGI

[Igor Clark]

Hi Grzegorz ,

On 23 Jul 2008, at 11:48, Grzegorz Nosek wrote:

> On śro, lip 23, 2008 at 11:40:26 +0100, Igor Clark wrote:
>> Not sure if it does, but if so, doesn't this ("information that was
>> successful from the auth_basic/auth module") mean that auth is being
>> done twice, once by nginx + htpasswd file, and then by PHP + its own
>> auth scheme?
>
> I didn't try it with nginx but in general you should be able to
> implement your own authentication in the application (e.g. in PHP)
> without any support from the web server other than passing
> Authorization header from the client ($_SERVER["HTTP_AUTHORIZATION"]  
> in
> PHP?).

Absolutely - I'm only saying (without knowing details of the filter  
chain) that in order to do what Philip and Mike said, i.e. have nginx  
pass "user" and "pass" to PHP, logically:

- auth_basic would need to be in order for nginx to decode the (e.g.)  
"Basic aWdvcjpub2Jub3NlMg==" into 'user' and 'pass' variables to PHP
- in order for it to pass those on to PHP, the authentication would  
need to be successful, meaning that as it's auth_basic, it has to  
check against auth_basic_user_file

and if those details are then used for authentication in PHP, then  
there are two separate auth mechanisms going on.

As I've understood, mod_php in Apache decodes the u/p from the  
Authorization header (if present) and passes to PHP in an environment  
variable; nginx/fastcgi doesn't do this, so therefore, exactly as you  
said, the PHP app would need to decode the u/p from  
$_SERVER['HTTP_AUTHORIZATION'].

Phew :-)
igor

--
Igor Clark • POKE • 10 Redchurch Street • E2 7DD • +44 (0)20  
7749 5355 • www.pokelondon.com