I use the Laravel/Lumen Shield Extension for my Http Authentication, however on my local machine everything is perfect, I had only problems on our server.

The problem is after I submit the correct login data the login screen appears again. I tried different login data, different browsers, the login screen appears again and again.

The last thing I checked up was to change my .htaccess with:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

But I got only a 404 ...

The Http Auth process works if I used htaccess/htpasswd, but I want to handle this with PHP and first of all I want to understand where is the problem.

To limit the problem I tried a PHP Http Auth with this code:

    <?php
$realm = 'Geschützter Bereich';

// Benutzer => Passwort
$benutzer = array('admin' => 'mypass', 'gast' => 'gast');

if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Digest realm="' . $realm .
           '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) .
           '"');

    die('Text, der gesendet wird, falls der Benutzer auf Abbrechen drückt');
}

// Analysieren der Variable PHP_AUTH_DIGEST
if (!($daten = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
    !isset($benutzer[$daten['username']]))
    die('Falsche Zugangsdaten!');

// Erzeugen einer gültigen Antwort
$A1 = md5($daten['username'] . ':' . $realm . ':' .
          $benutzer[$daten['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $daten['uri']);
$gueltige_antwort = md5($A1 . ':' . $daten['nonce'] . ':' . $daten['nc'] .
                        ':' . $daten['cnonce'] . ':' . $daten['qop'] . ':' .
                        $A2);

if ($daten['response'] != $gueltige_antwort)
    die('Falsche Zugangsdaten!');

// OK, gültige Benutzername & Passwort
echo 'Sie sind angemeldet als: ' . $daten['username'];

// Funktion zum analysieren der HTTP-Auth-Header
function http_digest_parse($txt) {
    // gegen fehlende Daten schützen
    $noetige_teile = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1,
                           'username'=>1, 'uri'=>1, 'response'=>1);
    $daten = array();
    $schluessel = implode('|', array_keys($noetige_teile));

    preg_match_all('@(' . $schluessel . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@',
                   $txt, $treffer, PREG_SET_ORDER);

    foreach ($treffer as $t) {
        $daten[$t[1]] = $t[3] ? $t[3] : $t[4];
        unset($noetige_teile[$t[1]]);
    }

    return $noetige_teile ? false : $daten;
}
?>

Same situation as before, on my local machine this code working, but the problem is still alive on my server.

Some information about the environment ..

Local: Debian with PHP 5.6 Server: Gentoo with PHP 5.6

For the project I used Lumen 5.1 instead of Laravel.

Thank's for helping me :)

The problem is solved.

I checked phpinfo() on our Server and SERVER API was on CGI/FastCGI.

HTTP Auth via PHP - PHP_AUTH_USER not set?

Run phpinfo(). if "Server API" is CGI/FCGI, you can pretty much forget it as there is no sensible way to use HTTP auth from PHP.

Now I knew where the problem is and I solved the Issue while adding the following part into my public/.htacces .

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

I had a similar problem. I was using PHP 7.2 CGI. Then I switched to FastCGI and that solved it.

Solution:

1) Switch to PHP FastCGI (instead of PHP CGI)

2) Make sure you have the required lines in your .htaccess file:

<IfModule mod_rewrite.c>
  RewriteCond %{HTTP:Authorization} .
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>