Description:
------------
The appended output of "grep's" through PHP and Apache 2 source code clearly show "unconnected" code relating to the username supplied by a user when using basic authentication with HTTP.  PHP source code uses the environment variable HTTP_AUTHORIZATION, yet no code sets this variable within either Apache 2.0.48 or PHP 4.3.4RC3.  This prevents PHP_AUTH* from being set (the code to set these still exists in PHP).  Perhaps this PHP code was written for other web servers that do supply HTTP_AUTHORIZATION environment variable.

This wouldn't cause me any concern, except that REMOTE_USER is also unavailable when using the Apache 2/FastCGI configuration, since Apache 2 sees the script protected by an .htaccess, but not the FastCGI PHP binary.  apache2.0.48/server/util_script.c: ap_add_common_vars() sets up the various environment variables to pass to the FastCGI, but REMOTE_USER is excluded since no authentication was required to access the PHP binary (only the script, but that was an earlier phase in processing the request).  Sigh .. perhaps I will patch Apache to help maintain a consistent environment for my customers .. easier than trying to explain all this to them.

In any case, the documentation at http://us3.php.net/features.http-auth is out-of-sync with Apache 2 / PHP 4.3.4RC3.  Perhaps the information previously accessible via $_SERVER['REMOTE_USER'] and $_SERVER['PHP_AUTH_USER'] will eventually become available through another mechanism (maybe in PHP5)?

I haven't had time to follow the design discussions in php-dev, so I haven't provided a patch to address the dangling code or inconsistencies with the docs, but merely documented (below) evidence of the inconsistencies (perhaps just the result of work-in-progress?).

Cheers,
Gavin

Reproduce code:
---------------
httpd-2.0.48$ grep -r HTTP_AUTHORIZATION .
returns nothing

php-4.3.4RC3$ grep -r HTTP_AUTHORIZATION .
./sapi/caudium/caudium.c:  php_handle_auth_data(lookup_string_header("HTTP_AUTHORIZATION", NULL), TSRMLS_C);
./sapi/cgi/cgi_main.c:          auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION",0 TSRMLS_CC);

php-4.3.4RC3$ grep -r php_handle_auth_data .
./main/main.c:/* {{{ php_handle_auth_data
./main/main.c:PHPAPI int php_handle_auth_data(const char *auth TSRMLS_DC)
./main/php_main.h:PHPAPI int php_handle_auth_data(const char *auth TSRMLS_DC);
./netware/phplib.imp:php_handle_auth_data,
./sapi/apache2filter/sapi_apache2.c:            php_handle_auth_data(auth TSRMLS_CC);
./sapi/apache2handler/sapi_apache2.c:           php_handle_auth_data(auth TSRMLS_CC);
./sapi/caudium/caudium.c:  php_handle_auth_data(lookup_string_header("HTTP_AUTHORIZATION", NULL), TSRMLS_C);
./sapi/cgi/cgi_main.c:          php_handle_auth_data(auth TSRMLS_CC);
./sapi/thttpd/thttpd.c: php_handle_auth_data(TG(hc)->authorization TSRMLS_CC);
./sapi/tux/php_tux.c:   php_handle_auth_data(TG(hc)->authorization TSRMLS_CC);



Expected result:
----------------
This PHP code below is never executed, since SG(request_info).auth_user has no value, because it is set from the HTTP_AUTHORIZATION environment variable, which is never set by either PHP or Apache code.  This prevents PHP_AUTH_USER from having a value.

php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC);

"grep -r PHP_AUTH_USER" the source tree will quickly turn up the relevant code.