http-authentication 4.0

I’ve updated the http-authentication plugin to again support mixed authentication setups.

This allows you to support users who do not exist in your external authentication system for whatever reason. You can give them a standard WordPress username and password.

Another advantage of the new code is that you’ll be able to more easily use the XML-RPC or Atom Publishing Protocol interfaces. If you don’t want to bother trying to get HTTP authentication working for these interfaces, just use a standard WordPress username and password for them.

Overall, I believe the authentication code is more robust and flexible than in previous versions. Please test the latest version and let me know if you have any issues!

Thanks to Scott Shambarger for providing an initial patch!

Update: I’ve released version 4.1, which has been tested against WordPress 3.2. There are no code changes between 4.0 and 4.1.

Update: I’ve released version 4.2, which makes the login and logout process more flexible and fixes a case where the plugin wasn’t being able to authenticate users (thanks to Josh Larios).

Update: I’ve released version 4.3, which simply updates the plugin URIs. There are no code changes in this release.

Update: I’ve released version 4.4, which contains a small CSS fix for WordPress 3.3.

Update: I’ve released version 4.5, which fixes various warnings.


Comment from Dan S. on

Thanks for publishing the update! Any insight as to compatibility with WordPress 3.2.x?

Also, you may want to update the WordPress repository listing, so that it has a link to this blog, as well as the entry from March 10, 2005, as that’s the first result that shows up in a Google search.

Comment from dwc on


As noted above I’ve released a new version that has been tested against WordPress 3.2. The timing of 4.0 was unfortunate, especially given there were no code changes necessary.

I’ve also added a new link in the WordPress plugin directory. Thanks!

Comment from Josh Larios on

Thanks for this! I was having an issue where the first time I authenticated, Shibboleth was sending me back to the page I was on without apparently logging me in. But if I clicked on the login link again, I was immediately logged in without having to re-enter my credentials. I figured out that if the Login URI were set to urlencode(wp_login_url($redirect_to)) instead of urlencode($redirect_to), the problem went away, so I wrote a patch which adds this behavior as an option:

I have no idea if anyone else is running into this, but if so, that worked for me.

Thanks again!

Comment from dwc on


That’s interesting. I haven’t run into that with my Shibboleth setup, and I’m using the same login URI.

What is the link on the login screen before this patch on your system? How about after?

Comment from Josh Larios on

Yeah, it’s weird. The shibboleth authentication is working, but WordPress isn’t setting its auth cookies except on the login page (which is why clicking the login link on the post the second time worked — it sent me to the wp-login page, which saw that shibboleth had already done its thing, set the wordpress auth cookies, and sent me back to the post). I’m a newbie to shibboleth, so it could be something I’m doing wrong there.

Before the patch, the link on the login page is:

After, it’s:

All the patch is doing is making sure that shibboleth sends me back to the login page with the right redirect_to argument, rather than sending me directly back to the redirect_to URL.

The cookie history looks like this, for me:

1. First request for individual post, no cookies at all.
2. Click “log in to reply”, go to wp-login.php, wordpress_test_cookie gets set.
3. Click on external login link with the “before” behavior, authenticate against UW’s IdP, get sent back to individual post page. Cookies are now wordpress_test_cookie and _shibsession_[hash].
4. Click “log in to reply” again, and go to wp-login.php, which sets wordpress_sec_[hash] and wordpress_logged_in_[hash] cookies and redirects me back to the individual post page.
5. Back on the individual post, I’m now logged in, and the cookies are wordpress_test_cookie, _shibsession_[hash] and wordpress_logged_in_[hash].

My patch just merges steps 3 and 4.

Comment from dwc on

Hey Josh,

Sorry for the delay. I’ve released a new version which wraps the URLs as you’ve described. I hope it solves your issue.

Comment from Dimas on

Hi Daniel.

I’m interest to use this plugin. Just i didn’t find the tutorial to use this plugin. Where i can found it? Thank’s

Comment from James on

Hi, is it possible to implement facebook connect and twittewr oauth with this? If so, how exactly?

Comment from dwc on


I have not tested any OAuth setups with this plugin. With the latest versions, there is an option to allow the plugin to use built-in WordPress authentication, so if the OAuth plugins simply hook into that same process they quite possibly will work.

If you test it, let me know the results!

Comment from Mxrgus Pxrt on

I managed to get plugin working with Kerberous. If domain users are used, then REMOTE_USER will include DOMAIN\username and username will be broken (in DB will be DOMAINusername, but auth is tried with DOMAIN\username)


function check_remote_user() {
$username = '';

foreach (array('REMOTE_USER', 'REDIRECT_REMOTE_USER') as $key) {
if (isset($_SERVER[$key])) {
$username = $_SERVER[$key];
if (preg_match('/\\\\([\w]+)/', $username, $matches)) $username = $matches[1];

Comment from brendan on

Hi Daniel,

I’m trying to set your awesome plugin up on my site (running on localhost, on snowleopard). I have 3.3.1 of WP and 4.4 of your plugin, but can’t seem to get it to work.

I have a test php page with the same .htaccess settings (even running inside the wordpress directory) and it is working, but when I hit the wp-login.php it just gives me “ERROR: No REMOTE_USER or REDIRECT_REMOTE_USER found” and never pops up the authentication box.

my .htaccess file in the root of my wp install is:

AuthName “WordPress”
AuthType Basic
AuthUserFile /etc/apache2/passwd/passwords
Require user siteadmin

I have a user in wordpress with a nickname ‘siteadmin’ and using that username works fine for with my test (non wp) page.

I have tried Authentication label set as WordPress and as the default HTTP authentication.

I have also tried echoing “apache_getenv(‘REMOTE_USER’)” in the if ! $username and it is coming back blank, but I don’t understand how to set it.

What I am hoping to achieve is login on a seperate php page in another app, but have that user authenticated to wp so that they don’t have to login again – will I be able to do that with this plugin?


Comment from dwc on


That’s odd. Do your Apache access logs show a username when you visit wp-login.php?

You could also try dumping all the environment variables from inside the plugin. For example:


Comment from William on

Hey, thanks for this plugin! I hope to use it to simplify wordpress login through shibboleth. I do, however, have a few questions about it.
I am using a multisite install of wordpress with domain (not path) setup, and each network site has the ‘HTTP Authentication’ page in the settings admin dashboard. Setting authenticator options globally would be preferred (Is this possible?), as I have (hopefully logically) decided to direct users log in to edit their sites using the root multisite url (ex/ rather than logging in at their individual sites (ex/,, etc.). I did this to reduce the need to provide login links in site themes or design with the admin-bar at the top of site pages. Because of this, the authenticator settings are the same across all network sites. Problems arise when I set the authenticator options at the root level, create a new network site, then change authenticator options at the root level; the changes are not applied to previously created network sites. While this is definitely preferred in other wordpress setups, for me it means I would have to update all previously created sites if ever I need to change the authenticator plugin options. Individual site admins also have access to these authenticator options for their site in the ‘settings’ menu, and they could really mess things up.
As a self reality check, because way I have decided to do logins and since I have shibboleth-protected (via .htaccess) the “wp-login.php” file and “wp-admin” directory, shouldn’t the HTTP Authenticator login uri option just point to the root wordpress login URI ( Essentially the stock wordpress login should trigger a redirect through our shibboleth authenticator by default, right?

Just making sure my assumptions about and implementation of this plugin are correct :). Sorry if things come off a bit rambling.


Comment from dwc on


I would very much like to add global or network settings support. From what I’ve seen WordPress does not provide a simple way to do this, and I was not able to finish adding support in this version.

Adding some sort of “allow site admins to edit settings” checkbox as a network setting would also be part of this feature.

Your .htaccess setup sounds right to me!

Comment from William on

Thanks for the reply, I appreciate the maintenance and development efforts you are putting in to this plugin.

Comment from bovine on

I’m getting the following error on PHP 5.4.3:

PHP Fatal error: Call-time pass-by-reference has been removed in /usr/local/www/wordpress/wp-content/plugins/http-authentication/http-authentication.php on line 22

If you would like to enable call-time pass-by-reference, you can set allow_call_time_pass_reference to true in your INI file. However, future versions may not support this any longer.

Comment from Roger on

Many thanks for this plugin.
I stand to be corrected, however, whilst the documentation says to set up WordPress users with the Nickname the same as the external username, I found that I could only get the plugin to work if the Nickname and the WordPress Username were the same.
Also, whilst getting to the root of this issue, I noticed that the 4.4 version of the plugin uses a deprecated function: get_userdatabylogin at line 187 of http-authentication.php, which you might wish to correct when you next update the plugin. I haven’t checked for any other deprecated functions.

Comment from dwc on


Thanks for your comment! I believe the nickname/username confusion is due to outdated documentation. WordPress has probably changed the labels it uses since that section was written. I will update the reference.

Your second issue should be resolved in the current development version. Please give it try and let me know!

Comment from Mikael on

Very well done plugin, thanks!

One thingy for future: you no more need to include registration.php since it’s deprecated.

Comment from Mikael on

Forgot to mention also about get_userdatabylogin(). You should change it to be: get_user_by(‘login’, $username)…

Comment from dwc on

Thanks again, Mikael. This was reported in #1513.

Please check the development version if you get a chance and let me know whether or not you have any problems!

Comment from dwc on

Thanks, Mikael! I’ve updated trunk to remove this include.

Comment from Bryan Wilcox on

Thanks so much for writing this plugin. It’s so easy to use and integrate with my Shibboleth set up.

I did modify the authenticate function so that it would auto-update the wordpress user information with attributes from Shibboleth. I hope it’s useful to someone.

function authenticate($user, $username, $password) {
$user = $this->check_remote_user();

if (! is_wp_error($user)) {
// User was authenticated via REMOTE_USER
$user = new WP_User($user->ID);
// Added to allow auto-updating of attributes from Shibboleth
$user_data = array( 'ID' => $user->ID,
'first_name' => $_SERVER['givenName'],
'last_name' => $_SERVER['sn'],
'nickname' => $_SERVER['givenName'],
'display_name' => $_SERVER['displayName'],
'user_email' => $_SERVER['mail']);
// End added code

else {
// REMOTE_USER is invalid; now what?

if (! $this->allow_wp_auth()) {
// Bail with the WP_Error when not falling back to WordPress authentication

// Fallback to built-in hooks (see wp-includes/user.php)

return $user;

Comment from Roger on

I think this is broken as of WordPress 3.5.x Adding a user no longer works; it complains that no password was given.

Comment from Andrew on

Did you figure out how to get this to work in 3.5+? Adding users still doesn’t work as of 3.6.1

Comment from Bastian on

Great plugin! I have overwritten one pluggable WordPress function to make WP detect the user if he did not visit the login page. Here is my code. It is meant to be public domain. I would love to see you include it (right at the end of http-authentication.php):

if ( !function_exists('wp_get_current_user') ) :
function wp_get_current_user() {
global $current_user;
global $http_authentication_plugin;

$user = $http_authentication_plugin->check_remote_user();
if (! is_wp_error($user)) {
$user = wp_set_current_user($user->ID);


return $current_user;

Comment from Dave T on

Hello there,

Our Web Authentication System: WAA->WLS communication protocol makes use of a string variable which identifies the RSA key which is used to form a signature supplied with the response.

Recently, the code was rewritten centrally such that this variable restricts the variable to to be 1-8 digits, not beginning with a 0.

Unfortunately by implementing this, when authenticating via the plugin, a “host not available” error is returned after authentication is made. Any pointer?