10 tips for PHP scripts: Mimic HTTP authentication with PHP

by Guest Contributor | Oct 06, 2003 6:32:00 PM

Tags: Guest Contributor

Takeaway: Create a basic authentication scheme in PHP. Find out how.

By Julie Meloni
(2/6/01)

If you are looking to password-protect on a per-script basis, you can use a combination of header() statements and the $PHP_AUTH_USER and $PHP_AUTH_PW global variables to create a basic authentication scheme. The usual server-based challenge/response sequence goes something like this:

1. The user requests a file from a Web server. If the file is within a protected area the server responds by sending out a 401 (Unauthorized User) string in the header of the response.

2. The browser sees that response and pops up the Username/Password dialog box.

3. The user enters a username and password in the dialog box, then clicks OK to send the information back to the server for authentication.

4. If the username and password pair is valid, the protected file will be displayed to the user, and the validation will be carried through for as long as the now-authenticated user is within the protected area.

A simple PHP script can mimic the HTTP authentication challenge/response system by sending the appropriate HTTP headers that cause the automatic display of the username/password dialog box. PHP stores the information entered in the dialog box in $PHP_AUTH_USER and $PHP_AUTH_PW. Using these variables, you can validate input against a username/password list kept in a text file, database, or whatever your pleasure might be.

Note: The $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE global variables are available only when PHP is installed as a module. If you're using the CGI version of PHP, you're limited to .htaccess-based authentication or database-driven authentication using HTML forms to input the username and password, and PHP to validate matches.

This example shows the validation occurring against two hard-coded values, but the theory is exactly the same no matter where your usernames and passwords are stored.

<?
/* Check for values in $PHP_AUTH_USER and $PHP_AUTH_PW */

if ((!isset($PHP_AUTH_USER)) || (!isset($PHP_AUTH_PW))) {

    /* No values: send headers causing dialog box to appear */
    header('WWW-Authenticate: Basic realm="My Private Stuff"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Authorization Required.';
    exit;

} else if ((isset($PHP_AUTH_USER)) && (isset($PHP_AUTH_PW))){

    /* Values contain some values, so check to see if they're correct */

    if (($PHP_AUTH_USER != "validname") || ($PHP_AUTH_PW != "goodpassword")) {
       /* If either the username entered is incorrect, or the password entered is incorrect, send the headers causing dialog box to appear */
       header('WWW-Authenticate: Basic realm="My Private Stuff"');
       header('HTTP/1.0 401 Unauthorized');
       echo 'Authorization Required.';
       exit;
    } else if (($PHP_AUTH_USER == "validname") || ($PHP_AUTH_PW == "goodpassword")) {
       /* if both values are correct, print success message */
       echo "<P>You're authorized!</p>";
    }
}
?>

Remember, when you're using file-based protection, it's not blanket security on everything in the directory. That may be obvious to most of you, but if your brain makes a connection between the pop-up box and protecting everything in the given directory, you'll have to tweak your thought process a little bit.

Julie Meloni is the technical director at i2i Interactive and is an avowed proponent of Linux and the open source community. A regular contribtor to CNET Builder.com, she has written a few books on PHP and other technologies.