browser authentication

I use $_SERVER[‘PHP_AUTH_USER’] in php to query the database for allowed users into the admin area of several client websites. This works fine in the test environment (just ubuntu), but not in virtualmin. It seems as though ‘PHP_AUTH_USER’ is not being passed into the environment, even though phpinfo() shows that safe_mode is off.

Any clues as to what may be going on?


The “PHP_AUTH_USER” environment variable is only set for PHP scripts running under mod_php, and not CGI or FCGID.

Switching to mod_php comes with some downsides, including not being able to use suexec to run your scripts.

There’s some more details on using PHP_AUTH_USER here:

How much of virtualmin is compromised by switching to mod_php? Is this hard to do?

Well, “Virtualmin” isn’t compromised – it just means that all the websites on your server will be running as one user, the user Apache runs as – rather than the individual Virtual Server owners.

You’d have to weight the security implications and how they affect your server yourself – it depends on how important your data is, whether you have untrusted users or scripts, and so forth.

For a multi-user server with people who can upload untrusted scripts, I personally would not switch away from suexec :slight_smile: