Basic Authentication URL Handling

Question

We have a new b2b vendor that wants to use basic auth via URL.

They want to authenticate like this:

  //URL coming into our server
  http://usernametext:passwordtext@our.company.com/listener.php

How can I get the username and password from the URL via my listener.php script?

I have tried setting basic auth headers per the php man page but it pops up a login box, which is not what I need, since these are web services talking to each other, not people:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
     header('WWW-Authenticate: Basic realm="My Realm"');
     header('HTTP/1.0 401 Unauthorized');
     echo '<response><error>No username and password found</error></response>';
     exit;
 } else {

   //process request if username & password are legit

}

Answer 1

Thanks to all that offered solutions. Here is what solved this issue for me:

It was a server configuration issue. I needed to compile the Apache extension in my PHP. Once I did that, the $_SERVER array contained $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] values. Prior to this, those values were missing from the $_SERVER array

Answer 2

may be this could help:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}

more detailed you can check on : http-auth

Update: If you dont need popup box (which is confirmation user+pass on non required auth site) simply add .htaccess on directory.

AuthType Basic
AuthName "Password Required"

Answer 3

Why not send the info via good old $_GET? Something like http://our.company.com/listener.php?usr='me'&pswd='secret'