It is a debatable security flaw to pass authorization credentials by environment variables, and the Apache developers decided not to pass these. That said, this affects not the HTTP headers
REMOTE_USER and
AUTH_TYPE. In my CGI and FCGI executables, I am able to access these with the C library function
getenv(3) without doing anything special. I always use Digest authentication, and the HTTP
Authorization header is indeed not passed.
The
SetEnvIf directive, which you already found, does exactly this. It reads Apache’s private HTTP
Authorization header
IF it is present and
SETs the
ENVironment variable
HTTP_AUTHORIZATION to the whole
"(.*)" content of it. I consider this the correct way to get hands on the authorization credentials in (F)CGI’s.
Usually, we need the full HTTP
Authorization header only for reimplementing the authentication scheme by ourselves in the CGI. I did it for implementing
algorithm="SHA512", however, this was a completely useless effort, because even 5 years after the respective RFC was published, no browser that I am aware of does support this - see:
https://tools.ietf.org/html/rfc7616.
Example of the Digest HTTP
Authorization header - do you really need this?
Code:
Digest username="test",
realm="Test",
nonce="9a5x+e+gCPD=cb584e44c43ed6bd0bc2d9c7e242837d",
uri="/test/",
response="d1fc8eaf36937be0c3ba8cfe0a2c1bfe",
algorithm="MD5",
cnonce="9dba9637e8635a4d912075cd6ea55530",
nc=00000001,
qop="auth"