HTTP Authentications using PHP
The HTTP
Authentication hooks in PHP
are only available when it is running as an Apache module and is hence not available in the CGI version. In an Apache module PHP
script, it is possible to use the Header() function to send an “Authentication Required” message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the variables, $PHP_AUTH_USER
, $PHP_AUTH_PW
and $PHP_AUTH_TYPE
set to the user name, password and authentication type respectively.
EXAMPLE SCRIPT:
1 2 3 4 5 6 7 8 9 10 11 12 | if(!isset($PHP_AUTH_USER)) { Header("WWW-Authenticate: Basic realm=\"My Realm\""); Header("HTTP/1.0 401 Unauthorized"); echo "Text to send if user hits Cancel button\n"; exit; } else { echo "Hello $PHP_AUTH_USER. "; echo "You entered $PHP_AUTH_PW as your password. "; } ?> |
Instead of simply printing out the $PHP_AUTH_USER
and $PHP_AUTH_PW
, you would probably want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file.
Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW-Authenticate header before the HTTP/1.0 401 header seems to do the trick for now.
In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH
variables will not be set if external authentication is enabled for that particular page. In this case, the $REMOTE_USER
variable can be used to identify the externally-authenticated user.
Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server.
Both Netscape and Internet Explorer will clear the local browser window’s authentication cache for the realm upon receiving a server response of 401. This can effectively “log out” a user, forcing them to re-enter their username and password. Some people use this to “time out” logins or provide a “log-out” button.
Example: HTTP Authentication example forcing a new name/password
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | function authenticate() { Header( "WWW-authenticate: basic realm=\"Test Authentication System\""); Header( "HTTP/1.0 401 Unauthorized"); echo "You must enter a valid login ID and password to access this resource\n"; exit; } if(!isset($PHP_AUTH_USER) || ($SeenBefore == 1 && !strcmp($OldAuth, $PHP_AUTH_USER)) ) { authenticate(); } else { echo "Welcome: $PHP_AUTH_USER "; echo "Old: $OldAuth"; echo "<form action=\"$php_self\" method=post>\n"; echo "<input type=hidden name=\"seenbefore\" value=\"1\">\n"; echo "<input type=hidden name=\"oldauth\" value=\"$php_auth_user\">\n"; echo "<input type=submit value=\"re authenticate\">\n"; echo "\n"; } ?> |
This behavior is not required by the HTTP Basic authentication standard, so you should never depend on this. Testing with Linux has shown that Linux does not clear the authentication credentials with a 401 server response, so pressing back and then forward again will open the resource (as long as the credential requirements haven’t changed).
Also, note that this does not work using Microsoft’s IIS server and the CGI version of PHP due to a limitation of IIS.