Once
the
user
has
filled
in
a
username
and
a
password
,
the
URL
containing
the
PHP
script
will
be
called
again
with
the
variables
,
$PHP_AUTH_USER
,
$PHP_AUTH_PW
and
$PHP_AUTH_TYPE
set
to
the
user
name
,
password
and
authentication
type
respectively
.
Only
"
Basic
"
authentication
is
supported
at
this
point
.
An
example
script
fragment
which
would
force
client
authentication
on
a
page
would
be
the
following
:
דוגמה
17-1
.
?php
if
(
!isset($PHP_AUTH_USER)
)
{
header(
"WWW-Authenticate
:
Basic
realm=\"
My
Realm\"")
;
header("HTTP
/
1.0 401
Unauthorized")
;
echo
"Text
to
send
if
user
hits
Cancel
button\n"
;
exit
;
}
else
{
echo
"
p
Hello
$PHP_AUTH_USER
.
/
p
"
;
echo
"
p
You
entered
$PHP_AUTH_PW
as
your
password
.
/
p
"
;
}
?
|
|
In
order
to
guarantee
maximum
compatibility
with
all
clients
,
the
keyword
"
Basic
"
should
be
written
with
an
uppercase
"B"
,
the
realm
string
must
be
enclosed
in
double
(not
single
)
quotes
,
and
exactly
one
space
should
precede
the
"401
"
code
in
the
"HTTP
/
1.0 401
"
header
line
.
Instead
of
simply
printing
out
the
$PHP_AUTH_USER
and
$PHP_AUTH_PW
,
you
would
probably
want
to
check
the
username
and
password
for
validity
.
In
order
to
prevent
someone
from
writing
a
script
which
reveals
the
password
for
a
page
that
was
authenticated
through
a
traditional
external
mechanism
,
the
PHP_AUTH
variables
will
not
be
set
if
external
authentication
is
enabled
for
that
particular
page
.
In
this
case
,
the
$REMOTE_USER
variable
can
be
used
to
identify
the
externally-authenticated
user
.
Remember
to
avoid
this
directive
for
the
context
where
you
want
to
use
PHP
authentication
(
otherwise
each
authentication
attempt
will
fail
)
.
דוגמה
17-2
.
?php
function
authenticate(
)
{
header
(
"WWW-Authenticate
:
Basic
realm=\"
Test
Authentication
System\"")
;
header
(
"HTTP
/
1.0 401
Unauthorized")
;
echo
"You
must
enter
a
valid
login
ID
and
password
to
access
this
resource\n"
;
exit
;
}
if
(!isset($PHP_AUTH_USER
)
|
|
($SeenBefore
==
1
!strcmp($OldAuth
,
$PHP_AUTH_USER))
)
{
authenticate()
;
}
else
{
echo
"
p
Welcome
:
$PHP_AUTH_USER
br
"
;
echo
"Old
:
$OldAuth"
;
echo
"
form
action='$PHP_SELF
'
METHOD='POST
'
\n"
;
echo
"
input
type='hidden
'
name='SeenBefore
'
value='1
'
\n"
;
echo
"
input
type='hidden
'
name='OldAuth
'
value='$PHP_AUTH_USER
'
\n"
;
echo
"
input
type='submit
'
value='Re
Authenticate
'
\n"
;
echo
"
/
form
/
p
\n"
;
}
?
|
|
If
safe
mode
is
enabled
the
uid
of
the
script
is
added
to
the
realm
part
of
the
WWW-Authenticate
header
.