The keys PHP_AUTH_USER and PHP_AUTH_PW are not present in the superglobal $_SERVER, so http basic authentication needs to be handled a little differently.

This also affects functional tests which require http basic auth to authenticate.

Basically the workaround is two parts:

1. A rewrite rule to pack the username and password into an environment variable:

   RewriteEngine on RewriteRule .\* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

2. Extract the info from the environment variable:

   list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

See below for more details.

http://orangejuiceliberationfront.com/http-auth-with-php-in-cgi-mode-e-g-on-dreamhost/
http://www.besthostratings.com/articles/http-auth-php-cgi.html