HTTP(s) Authentification for RSS feeds/#3733

Covers some rough aspects about http authentification for RSS feeds.

HTTP-Auth with php-cgi

from .htaccess

RewriteEngine on

# PHP (CGI mode) HTTP Authorization with ModRewrite:
RewriteCond %{HTTP:Authorization} !^$
RewriteRule ^(.*)$ index.php?go=playground&HTTP_AUTHORIZATION=%{HTTP:Authorization} 

The main issue here, is adding the authentification data to the URLs. Sadly, this does not work as expected, because...

RewriteRule ^(.*)$ $1&HTTP_AUTHORIZATION=%{HTTP:Authorization} 

...truncates a request like index.php?go=XYZ to the index.php. Of course we need the go parameters as well.

This sample code tries to get the http authentification username and login.

from pages/

       header('WWW-Authenticate: Basic realm="blabl"');
       header('HTTP/1.0 401 Unauthorized');
       echo 'Sorry. You need to authenticate';
    else {
        $password= '';
        if(isset($_SERVER['PHP_AUTH_USER'])) {
            if(isset($_SERVER['PHP_AUTH_PW'])) {
        * if php runs in CGI-mode we need mod_rewrite to enable HTTP-auth:
        *
        else if(get('HTTP_AUTHORIZATION')) {
            $tmp= base64_decode( substr(get('HTTP_AUTHORIZATION'),6));
            list($username, $password) = explode(':', $tmp);
        print("<br>username='" . $username . "'");       
        print("<br>password='" . $password . "'");

Any ideas on this subject would be very nice.

Another problemπ

is that relative linking of stylesheets sometimes breaks with mod_rewrite. Although all links seem to work just fine and the sourcecode looks ok, styles and images are no loaded. I cannot reproduce this behaviour.

Replacing Authorization in php-cgiπ

How to make then?
The solution is to select an Apache variable which is actually transmitted to PHP even in mode cgi, and to stick to it the data of authentification transmitted by the navigator (or by the newsreader).

Throw a glance with the directive added to the file .htaccess:

  RewriteEngine one
  RewriteRule. * - [E=REMOTE_USER: % {HTTP: Authorization}, L]

This directive says that, if the module mod_rewrite is available, attribute HTTP Authorization must be placed in the variable $_SERVER [“REMOTE_USER”].

To follow upon the RFC 2617 concerning HTTP Authentication, if the surfer indicates the name “Aladdin” and the password “open sesame”, the user agent (the navigator or the newsreader) must add the following attribute to request HTTP:

  Authorization: BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Thanks to the directive of rewriting put in .htaccess, script PHP carried out will as follows be able accèder with these elements in $_SERVER [“REMOTE_USER”]:


From there, there is no more that to decode the base64, and to separate the name from the password, as indicated in the RFC 2617. You follow me?


guest:possible solution?

12 years ago -

Thanks for your quick reply

Do you think that could be the solution?

Hope you understand french ;)


guest:are you getting somewhere with this?

12 years ago -

I haven't entirely understood exactly what the code does, but I think it stores the username in http-auth rather than in a get variable. Suggesting that, how about we store additional parameters in the username and then we parse the username before using it as authentication.

is that an idea at all? please tell me if I get it wrong

best luck


pixtur:some progress already

12 years ago (2. update 12 years ago)

The RSS-Feeds are already working on my locale server. But I found a logical problem in the authentification method of Streber. There is a conflict between using Anonymous User and HTTP_auth. With the current implementation you could only have either way, but that would disable RSS Feeds for all projects to which Anonymous is not a team member.

So it will take some more time to refactor the login/authentification stuff. Maybe I will have some time on weekend, but since my Laptop broke... sigh..