You could use the [man]php_sapi_name[/man] function to get the interface type.

Aiii, NogDog, thank you for the quick and helpful reply! I have come across some functions like that would not be available in CGI mode in the meantime, and they already indicated what php_sapi_name now confirmed: it is CGI PHP which means I have to think of something to get the user authentification done.

Don't know if this would be any help or not, but you could take a look at the flat-file login script I put together some time ago. (I put it together for someone who couldn't -- or maybe wouldn't? -- use a database.) It might give you some ideas, even if you want to convert it to use a database (which I'd recommend).

Hi NogDog,

thank you, but the task I was facing was a little different.

I had 3 areas of a website, one of which was to be protected in a htaccess-like way (for consistancy reason). There were no directories for the different areas, they were only simulated by rewrite rules, like
RewriteRule ^{(area1|2nd_area|private)/([a-zA-Z0-9]*)$} /index.php?dir=$1&p=$2

Thus I could not make use of htaccess here, and used to have php do the user validation within that index.php script using $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'].

What I ended up with is
- creating a directory "private" has normal password protection with htaccess
- adding a rewrite rule to this htaccess
(RewriteRule ^[a-zA-Z0-9]$ /index.php?dir=private&p=$0)
- taking the private area out of the general rewrite rule in the root directory
(RewriteRule ^{(area1|2nd_area)/([a-zA-Z0-9]})$ /index.php?dir=$1&p=$2)

This seems to work out quite well as the user authentication is processed prior to the rewriting at least on my server.

I am aware that this protection is somewhat weaker as anyone who is able to guess the real URL index.php?dir=private&p=xy would be able to skip the authentication alltogether. To reduce this risk, I have index.php at least validate the user name via $_SERVER['REMOTE_USER']. Still by no ways bulletproof, but sufficient for the security level these contents need.

Thanks again,
m

xblue wrote:

To reduce this risk, I have index.php at least validate the user name via $_SERVER['REMOTE_USER'].

You might be able to get all the info out of $_SERVER['REMOTE_USER'].

Here is a nice little trick I use to generate $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] on systems that don't actually support them, but do send the authorization info in another variable:

// attempt to support PHP_AUTH_USER & PHP_AUTH_PW if they aren't supported in this SAPI
//   known SAPIs that do support them:  apache, litespeed
function setup_php_http_auth() {
	if ((PHP_SAPI === 'apache') || (PHP_SAPI === 'litespeed') || isset($_SERVER['PHP_AUTH_USER'])) {
		return;
	}

foreach (array('HTTP_AUTHORIZATION', 'AUTHORIZATION', 'REMOTE_USER') as $key) {
	if (isset($_SERVER[$key]) && !empty($_SERVER[$key])) {
		list($type, $encoded) = explode(' ', $_SERVER[$key]);
		break;
	}
}

if (!isset($type) || ($type !== 'Basic')) {
	return;
}

list($user, $pass) = explode(':', base64_decode($encoded));
$_SERVER['PHP_AUTH_USER'] = $user;
$_SERVER['PHP_AUTH_PW'] = $pass;
}

Thank you, dream.scape. Did that work out for you in all cases? On my server, HTTP_AUTHORIZATION and AUTHORIZATION are not set, and REMOTE_USER contains the user name and only the user name.