Accessing REMOTE_USER from PHP / CakePHP
I'm developing a CakePHP site for which I just enabled VAS authentication using a .htaccess file:
AuthType VAS
AuthVasUseBasic On
AuthVasRemoteUserMap local
Require valid-user
I expect to be able to find out who is logged in using $_SERVER['REMOTE_USER']
, but I found that the $_SERVER
key is missing from the structure : all there is $_SERVER['REDIRECT_REMOTE_USER']
. In fact, the whole structure is filled with prefixed keys REDIRECT_
:
echo var_dump($_SERVER);
array(52) {
["REDIRECT_REDIRECT_REDIRECT_SCRIPT_URL"]=> string(37) "/cake_1_2/feedbacks/edit/6"
["REDIRECT_REDIRECT_REDIRECT_SCRIPT_URI"]=> string(55) "http://test/cake_1_2/feedbacks/edit/6"
["REDIRECT_REDIRECT_REDIRECT_STATUS"]=> string(3) "200"
["REDIRECT_REDIRECT_SCRIPT_URL"]=> string(37) "/cake_1_2/feedbacks/edit/6"
["REDIRECT_REDIRECT_SCRIPT_URI"]=> string(55) "http://test/cake_1_2/feedbacks/edit/6"
["REDIRECT_REDIRECT_STATUS"]=> string(3) "200"
["REDIRECT_SCRIPT_URL"]=> string(37) "/cake_1_2/feedbacks/edit/6"
["REDIRECT_SCRIPT_URI"]=> string(55) "http://test/cake_1_2/feedbacks/edit/6"
["REDIRECT_HANDLER"]=> string(8) "php5-cgi"
["REDIRECT_STATUS"]=> string(3) "200"
["SCRIPT_URL"]=> string(37) ...
["REDIRECT_REMOTE_USER"]=> string(9) "andygeers"
...
}
I'm not really sure what's going on! This is generated primarily in the POST request and does not redirect on that particular request.
Is this related to CakePHP or just a general PHP problem? Any idea what's going on? I have found quite a few pages on the internet that suggest that REDIRECT_REMOTE_USER is normal / normal as a place to find this value, but no one really knows why!
a source to share
Apache adds these REDIRECT_ prefixes so that scripts can better deal with what happened. For my application, I wrote a function to handle this. In my case, this is a class method, but you can easily turn it into a global function.
class MyClass {
/** @var integer How deep the redirect layers of Apache go. -1 means not set. */
private $redirectLevel = -1;
/**
* Get an environment variable with all the REDIRECT_ prefixes stripped off
*/
private function getEnv($var)
{
// Find out how deep the redirect goes
if ($this->redirectLevel == -1) {
reset($_SERVER);
$key = key($_SERVER);
$this->redirectLevel = substr_count($key, 'REDIRECT_');
}
$result = '';
$prefix = '';
for ($i = 0; $i < $this->redirectLevel + 1; $i++) {
if (isset($_SERVER[$prefix . $var])) {
$result = $_SERVER[$prefix . $var];
}
$prefix .= 'REDIRECT_';
}
return $result;
}
}
The EDIT: . The above function returns the contents of a variable that has the most REDIRECT_ prefixes, which is usually what you want. If Apache is not prefixed with variables, this is what you get. The content of the variables may vary depending on the number of prefixes. Finally, Apache adds a prefix so that it doesn't overwrite the old value.
For example, on my site, I am using mod_ssl to authenticate the client using SSL client certificates. The subject of the certificate (containing the user's email address) is stored in the SSL_CLIENT_S_DN variable. With the Apache prefix, it looks like:
$_SERVER['REDIRECT_REDIRECT_SSL_CLIENT_S_DN'] // string containing the subject
$_SERVER['REDIRECT_SSL_CLIENT_S_DN'] // exists, but empty
// $_SERVER['SSL_CLIENT_S_DN'] does not exist
The getEnv () function I wrote above will return the top one.
a source to share
This is a common PHP thing. Some frameworks redirect pages internally according to their routing policies. If you redirect out of the box, you get the same result.
Direct access to the page out of bounds will give you the names you originally expected. I noticed that in CodeIgniter, you get $_SERVER['REMOTE_USER']
and don't redirect. So it depends on which framework you are using.
So it's probably best to check them out if you're not sure if a redirect is taking place.
I also notice that you are using AuthVasUseBasic On
. If you are using this you should also check the base user variable $_SERVER['USERNAME']
IIRC
a source to share