I have windows authentication activated on two separate servers at different IP addresses through apache httpd.conf and SSPI MOD AUTH. I'm trying to put an API on one server, and have a website on a second serer access the API.
If I go to a website on either server, the windows authentication works correctly, and I see a username with $_SERVER["PHP_AUTH_USER"]. But when I use a fetch request to request data from the API, the username is not available.
The fetch request looks like this: fetch(url, {credentials:'include'}). Why do I have to do to get the username to show up?
This is what I am using for my headers:
function cors() {
// Allow from any origin
if (isset($_SERVER['HTTP_ORIGIN'])) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400'); // cache for 1 day
}
// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
// may also be using PUT, PATCH, HEAD etc
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
exit(0);
}
}
cors();
