Yii2: HTTP Basic Auth with REDIRECT_HTTP_AUTHORIZATION

Created on 13 Feb 2017 · 7Comments · Source: yiisoft/yii2

What steps will reproduce the problem?

Http Basic Auth doesn't work if the server uses a special configuration where PHP is not loaded as module...

What do you get instead?

The PHP_AUTH_* variables are not set and therefore http basic auth is not working with yii in this server config.

Additional info

Woraround is to set in .htaccess

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

and override HttpBasicAuth/authenticate with

$auth_token = null;
if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
    $auth_token = $_SERVER['HTTP_AUTHORIZATION'];
} elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
    $auth_token = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
}
if ($auth_token != null) {
    if (strpos(strtolower($auth_token), 'basic') === 0) {
        list($username, $password) = explode(':', base64_decode(substr($auth_token, 6)));
    }
}

Maybe you could a fix in the next update. Thx.

| Q | A
| ---------------- | ---
| Yii version | 2.0.?
| PHP version |7.0
| Operating system |

ready for adoption bug

Source

domi9er

👍1

Most helpful comment

Same ticket for symfony framework (for reference): https://github.com/symfony/symfony/issues/1813

This should be implemented in the loading of the HeaderCollection.

SamMousa on 30 Mar 2017

👍2

All 7 comments

It's a valid issue and applies to all possible HTTP header reading, not only to authorization. Apache prefixes any environment variables set via RewriteRule with REDIRECT_ (explanation at StackOverflow).

samdark on 13 Feb 2017

Same ticket for symfony framework (for reference): https://github.com/symfony/symfony/issues/1813

This should be implemented in the loading of the HeaderCollection.

SamMousa on 30 Mar 2017

👍2

@SilverFire I don't think your fix is correct. This should be fixed in Request::getAuthUser() and Request::getAuthPassword() - right now these methods are simply unreliable.

rob006 on 8 Oct 2017

Also it is worth to document .htaccess workaround, like here: https://github.com/cakephp/docs/pull/3067/files

rob006 on 8 Oct 2017

@SilverFire, it's not only about auth header. Similar behavior is with any header. See my comment with a link above.

samdark on 8 Oct 2017

@samdark I don't think we should do that for every header. Auth header is specific and using mod_rewrite is known workaround. Any practical example when doing this for other header is useful?

rob006 on 8 Oct 2017

This should be implemented in the loading of the HeaderCollection.

PHP_AUTH_PW is not a header, it's a system var.

I don't think your fix is correct. This should be fixed in Request::getAuthUser() and Request::getAuthPassword() - right now these methods are simply unreliable.

Yes, Robert, you are right. This way will be more reliable.