If your PHP script uses HTTP authentication ($_SERVER['PHP_AUTH_USER']) and it is not working on your hosting account, the issue is almost certainly that Apache is not passing the authentication headers through to PHP. This is common on shared hosting where PHP runs as CGI or LSAPI rather than as an Apache module.
Add a RewriteRule to pass the Authorization header
Add this to your .htaccess file:
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Then read it in PHP from $_SERVER['HTTP_AUTHORIZATION'] or $_SERVER['REDIRECT_HTTP_AUTHORIZATION'].
01. Why HTTP Auth Fails on Shared Hosting
When PHP runs as an Apache module (mod_php), it has direct access to the Authorization header that browsers send during HTTP authentication. The $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables are populated automatically.
On Ultra Web Hosting (and most modern shared hosting), PHP runs via LSAPI or CGI, not as an Apache module. In these configurations, Apache strips the Authorization header before passing the request to PHP for security reasons. The result: $_SERVER['PHP_AUTH_USER'] is empty and your authentication code never triggers.
02. Fix: Pass Auth Headers via .htaccess
Add these lines to the .htaccess file in the directory where your PHP script lives:
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]This tells Apache to capture the Authorization header and store it in an environment variable called HTTP_AUTHORIZATION, which PHP can then access.
If your site already has RewriteEngine enabled and other rewrite rules, just add the RewriteRule line after RewriteEngine On and before any other rules.
For more on .htaccess, see our Complete Guide to .htaccess.
03. Reading the Header in PHP
After adding the .htaccess rule, update your PHP code to read the header from the environment variable and decode it:
<?php
// Check for the Authorization header in multiple possible locations
$auth = null;
if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
$auth = $_SERVER['HTTP_AUTHORIZATION'];
} elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
$auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
}
if ($auth && strpos($auth, 'Basic') === 0) {
$decoded = base64_decode(substr($auth, 6));
list($user, $pass) = explode(':', $decoded, 2);
// $user and $pass now contain the credentials
}
?>The variable may appear as either HTTP_AUTHORIZATION or REDIRECT_HTTP_AUTHORIZATION depending on how Apache processes the rewrite. Always check both. If you are using a framework like Laravel or Symfony, this fix is usually handled automatically by the framework's .htaccess rules.
04. Alternative: Use .htpasswd for Directory Protection
If you just need to password-protect a directory or a set of pages (and do not need to handle authentication in PHP code), cPanel's built-in directory protection is simpler and works regardless of the PHP handler:
See How to Password Protect a Directory for the step-by-step guide. This approach uses Apache's native .htpasswd authentication, which works at the web server level before PHP is even invoked.
Need Help With PHP Authentication?
If your authentication setup still is not working after the .htaccess fix, open a ticket with your script details and we will take a look.
Open a Support TicketQuick Recap
- PHP_AUTH_USER is empty on shared hosting - PHP runs as LSAPI/CGI, not mod_php
- Add a RewriteRule to .htaccess to pass the Authorization header through
- Read from HTTP_AUTHORIZATION or REDIRECT_HTTP_AUTHORIZATION in PHP
- Decode the Base64 value to extract username and password
- Consider .htpasswd instead if you just need simple directory protection
PHP development on shared hosting · Last updated March 2026 · Browse all PHP/MySQL articles
