8.9. Using HTTP Basic Authentication
Problem
You want to use PHP to protect parts of your web site with passwords. Instead of storing the passwords in an external file and letting the web server handle the authentication, you want the password verification logic to be in a PHP program.
Solution
The
$_SERVER['PHP_AUTH_USER']
and
$_SERVER['PHP_AUTH_PW']
global variables contain
the username and password supplied by the user, if any. To deny
access to a page, send a WWW-Authenticate
header
identifying the authentication realm as part of a response with
status code 401:
header('WWW-Authenticate: Basic realm="My Website"'); header('HTTP/1.0 401 Unauthorized'); echo "You need to enter a valid username and password."; exit;
Discussion
When a browser sees a 401 header, it pops up a dialog box for a
username and password. Those authentication credentials (the username
and password), if accepted by the server, are associated with the
realm in the
WWW-Authenticate
header. Code that checks authentication
credentials needs to be executed before any output is sent to the
browser, since it might send headers. For example, you can use a
function such as pc_validate( )
,
shown in Example 8-2.
Example 8-2. pc_validate( )
function pc_validate($user,$pass) { /* replace with appropriate username and password checking, such as checking a database */ $users = array('david' => 'fadj&32', 'adam' => '8HEj838'); if (isset($users[$user]) && ($users[$user] == $pass)) { return true; } else { return false; ...
Get PHP Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.