Is $_SERVER['PHP_AUTH_USER'] widely supported by servers and clients?

Posted on 2009-02-23
Last Modified: 2012-05-06
I would like to use the following code to manage access to a restricted area.

Will it work with all, most or some PHP4/PHP5 installations?  

Will it work with all, most or some browsers?  


if ($_SERVER['PHP_AUTH_USER']=='user' && $_SERVER['PHP_AUTH_PW']=='password'){

    echo '<h1>Hello, '. $_SERVER['PHP_AUTH_USER'] .'. You are now authorized!</h1>';

} else {

    header('WWW-Authenticate: Basic realm="Protected Area"');

    header('HTTP/1.0 401 Unauthorized');

    header('Status: 401 Unauthorized');

    header('HTTP-Status: 401 Unauthorized');	

    echo '<h1>You are not authorized.</h1>';




Open in new window

Question by:hankknight
    LVL 107

    Expert Comment

    by:Ray Paseur
    Since it is a server-based variable, wouldn't it be mostly important to identify whether it's available on your server?
    LVL 107

    Expert Comment

    by:Ray Paseur
    Looking at the description here leads me to believe that support may be spotty.  I don't know how many installations use CGI, but some of my clients do.
    LVL 107

    Accepted Solution

    And as I read it more, I see a collection of "notes" that do not inspire much confidence.  To wit:

    Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file.

    Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW-Authenticate header before the HTTP/1.0 401 header seems to do the trick for now.

    So I guess the keys are (1) you're using Apache and (2) you control the client's choice of browsers.  Absent that, you might want to use a different form of authentication.

    Best regards, ~Ray
    LVL 8

    Assisted Solution

    supposedly working for php4 and php5
    LVL 2

    Assisted Solution

    even if you use apache some ISPs use (PHPSuExec) like hostgator that means $_SERVER['PHP_AUTH_USER'] will never work,
    HTTP authentication work only if PHP  run as a module not CGI,
    LVL 16

    Author Comment

    Thanks. To be safe, I will not use it.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    The Client Need Led Us to RSS I recently had an investment company ask me how they might notify their constituents about their newsworthy publications.  Probably you would think "Facebook" or "Twitter" but this is an interesting client.  Their cons…
    Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
    The viewer will learn how to count occurrences of each item in an array.
    This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now