פרק 17. HTTP authentication with PHP

Once the user has filled in a username and a password , the URL containing the PHP script will be called again with the variables , $PHP_AUTH_USER , $PHP_AUTH_PW and $PHP_AUTH_TYPE set to the user name , password and authentication type respectively . Only " Basic " authentication is supported at this point .

An example script fragment which would force client authentication on a page would be the following :

דוגמה 17-1 .

 
?php

 
if

 
(

 
!isset($PHP_AUTH_USER)

 
)

 
{

 
header(

 
"WWW-Authenticate

 
:




 
Basic

 
realm=\"

 
My

 
Realm\"")

 
;

 
header("HTTP

 
/

 
1.0 401

 
Unauthorized")

 
;

 
echo

 
"Text

 
to

 
send

 
if

 
user

 
hits

 
Cancel

 
button\n"

 
;

 
exit

 
;

 
}

 
else

 
{

 
echo

 
"

 
p

 
Hello

 
$PHP_AUTH_USER

 
.

 
/

 
p

 
"

 
;

 
echo

 
"

 
p

 
You

 
entered

 
$PHP_AUTH_PW

 
as

 
your

 
password

 
.

 
/

 
p

 
"

 
;

 
  }

 
?





In order to guarantee maximum compatibility with all clients , the keyword " Basic " should be written with an uppercase "B" , the realm string must be enclosed in double (not single ) quotes , and exactly one space should precede the "401 " code in the "HTTP / 1.0 401 " header line .

Instead of simply printing out the $PHP_AUTH_USER and $PHP_AUTH_PW , you would probably want to check the username and password for validity .

In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism , the PHP_AUTH variables will not be set if external authentication is enabled for that particular page . In this case , the $REMOTE_USER variable can be used to identify the externally-authenticated user .

Remember to avoid this directive for the context where you want to use PHP authentication ( otherwise each authentication attempt will fail ) .

דוגמה 17-2 .

 
?php

 
function

 
authenticate(

 
)

 
{

 
header

 
(

 
"WWW-Authenticate

 
:




 
Basic

 
realm=\"

 
Test

 
Authentication

 
System\"")

 
;

 
header

 
(

 
"HTTP

 
/

 
1.0 401

 
Unauthorized")

 
;

 
echo

 
"You

 
must

 
enter

 
a

 
valid

 
login

 
ID

 
and

 
password

 
to

 
access

 
this

 
resource\n"

 
;

 
exit

 
;

 
  }

 
if

 
(!isset($PHP_AUTH_USER

 
)

 
|

 
|

 
($SeenBefore

 
==

 
1

 
!strcmp($OldAuth

 
,

 
$PHP_AUTH_USER))

 
)

 
{

 
authenticate()

 
;

 
}

 
else

 
{

 
echo

 
"

 
p

 
Welcome

 
:

 
$PHP_AUTH_USER

 
br

 
"

 
;

 
echo

 
"Old

 
:

 
$OldAuth"

 
;

 
echo

 
"

 
form

 
action='$PHP_SELF

 
'

 
METHOD='POST

 
'

 
\n"

 
;

 
echo

 
"

 
input

 
type='hidden

 
'

 
name='SeenBefore

 
'

 
value='1

 
'

 
\n"

 
;

 
echo

 
"

 
input

 
type='hidden

 
'

 
name='OldAuth

 
'

 
value='$PHP_AUTH_USER

 
'

 
\n"

 
;

 
echo

 
"

 
input

 
type='submit

 
'

 
value='Re

 
Authenticate

 
'

 
\n"

 
;

 
echo

 
"

 
/

 
form

 
/

 
p

 
\n"

 
;

 
  }

 
?



If safe mode is enabled the uid of the script is added to the realm part of the WWW-Authenticate header .