CODEWITHSUNDEEP
phpapachejwthttp-headersauthorization
chris227
chris227

Reputation: 607

php $_SERVER['HTTP_AUTHORIZATION'] not working

i want to use jwt header authorization in my project but when i use $_SERVER['HTTP_AUTHORIZATION'] to get token from header it's not working. I've modified .httaccess file but still nothing.

CGIPassAuth On
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Upvotes: 0

Views: 2961

Answers (2)

mtemp
mtemp

Reputation: 47

Thanks for your 2nd solution! By using using "REDIRECT_HTTP_AUTHORIZATION" now it works on my local machine/test environment with XAMPP 8.2, Windows.

To get the two SERVER variables, I have to use this code:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));

Upvotes: 0

Hitesh Vaghani
Hitesh Vaghani

Reputation: 194

Solution 1:

After a bit of research, I found that in some situations Apache may not pass authorization headers to PHP for security reasons. However, it is possible to work around this by creating a rewrite rule in the site's .htaccess file to put the authorization header into an environment variable.

<IfModule mod_rewrite.c>
    # Handle Authorization Header.
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

After adding the above to the .htaccess file the $_SERVER['HTTP_AUTHORIZATION'] key is now been populated with the value of the Authorization header.

Therefore,

A print_r($_SERVER) confirmed that there was indeed no item for the key $_SERVER['HTTP_AUTHORIZATION'] hence why I was getting a null value.

However, the value was available with the getallheaders() function.

$token = getallheaders()['Authorization']);

echo '<pre>';
print_r($token);

By printing getallheaders() PHP function you should see the "Authorization" key attach to it.

Solution 2:

Various Apache modules will strip the Authorization header, usually for "security reasons". They all have different obscure settings you can tweak to overrule this behavior, but you'll need to determine exactly which module is to blame.

You can work around this issue by passing the header directly to PHP via the env. So, just put this line into .htaccess file:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

In some scenarios, even this won't work directly and you must also change your PHP code to access $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] rather than $_SERVER['HTTP_AUTHORIZATION'].

Upvotes: 3

Related Questions