A friend asked me for some help the other day. At the place he works at they use IIS on their production servers, but each developer works locally using Apache. Why use different webservers for production and development? He said they do it because its easier to develop locally with Apache. My guess is its easier because you can run multiple sites at once with Apache. With IIS on a desktop machine you can only run one site at a time. I do the exact same thing at my job, actually.

Anyway, once in a while this causes issues. In this case, there was code on the server that required a username and password in order to access the page. The security was done at the web server level, aka “HTTP authentication”, which causes your browser to prompt you for a username and password. These credentials then get sent along in the request headers (its actually a little more complicated than that but I won’t get into that here). After authenticating, the username is available to ColdFusion as a CGI variable – CGI.REMOTE_USER.

When using IIS, that value is also available as CGI.AUTH_USER. In all CGI variable specs I could find, they all reference REMOTE_USER, not AUTH_USER, I’m not sure when AUTH_USER started to be used. Anyway, this ColdFusion code running on the IIS server would look to the CGI.AUTH_USER variable and display some things differently depending on who the user was.

This posed a problem when trying to run this code locally under apache. The CGI.AUTH_USER variable did exist, but it was always blank. One could change the code to use the more multi-platform friendly “REMOTE_USER”, but sometimes there are hurdles to changing existing code.

But there is a way to mimic the behavior of IIS, by copying the REMOTE_USER value into AUTH_USER. Its only three simple lines but it took me quite a while to figure this out.

RewriteEngine on
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=AUTH_USER:%1]

You’ll need to have mod_rewrite enabled of course. Usually all you need to do is uncomment a line that looks like this in httpd.conf:

LoadModule rewrite_module modules/mod_rewrite.so

The three magic lines can go into the httpd.conf file, or you could place them in a .htaccess file in the directory you’re working in.


  1. Jake says:

    Very nice, Ryan.  This worked like a charm

  2. John Sieber says:

    Great tip! I did not realize that IIS and Apache use different cgi variables for authenticated user name storage. I'm sure I will run into this one of these days.