This article mainly introduces the usage of php form-based password verification and HTTP authentication, and analyzes in detail the principles and precautions of form-based password verification and HTTP authentication in the form of instances, those who have some reference value and need it
This article mainly introduces the usage of php form-based password verification and HTTP authentication, and analyzes in detail the principles and precautions of form-based password verification and HTTP authentication in the form of instances, those who have some reference value and need it
This document describes how php uses form-based password verification and HTTP authentication. Share it with you for your reference. The specific analysis is as follows:
The HTTP authentication mechanism of PHP is only valid when PHP runs in the Apache module mode. Therefore, this function is not applicable to CGI versions. In the PHP script of the Apache module, you can use the header () function to send the "Authentication Required" message to the client browser to bring up a user name/password input window. After the user enters the user name and password, the pre-defined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE will be added to the PHP script containing the URL. These three variables are set as user names respectively, password and authentication type. The predefined variables are stored in the $ _ SERVER or $ HTTP_SERVER_VARS array. Supports "Basic" and "Digest" (from PHP 5.1.0) authentication methods. If you are interested, you can refer to the header () function information.
PHP version: global variables of Autoglobals, including $ _ SERVER, are valid for PHP 4.1.0 and $ HTTP_SERVER_VARS is valid for PHP 3.
The following is an example of a script that forces client authentication on the page.
Example 34-1. Basic HTTP Authentication
The Code is as follows:
<? Php
If (! Isset ($ _ SERVER ['php _ AUTH_USER ']) {
Header ('www-Authenticate: Basic realm = "My Realm "');
Header ('HTTP/1.0 401 unauthorized ');
Echo 'text to send if user hits Cancel button ';
Exit;
} Else {
Echo"
Hello {$ _ SERVER ['php _ AUTH_USER ']}.
";
Echo"
You entered {$ _ SERVER ['php _ AUTH_PW ']} as your password.
";
}
?>
Example 34-2. Digest HTTP Authentication example
This example shows how to implement a simple Digest HTTP Authentication script. For more information, see RFC 2617.
The Code is as follows:
<? Php
$ Realm = 'restricted region ';
// User => password
$ Users = array ('admin' => 'mypass', 'Guest '=> 'guest ');
If (! Isset ($ _ SERVER ['php _ AUTH_DIGEST ']) {
Header ('HTTP/1.1 401 unauthorized ');
Header ('www-Authenticate: Digest realm = "'. $ realm.
'"Qop =" auth "nonce ="'. uniqid (). '"opaque ="'. md5 ($ realm ).'"');
Die ('text to send if user hits Cancel button ');
}
// Analize the PHP_AUTH_DIGEST variable
Preg_match ('/username = "(? P . *) ", S * realm = "(? P . *) ", S * nonce = "(? P . *) ", S * uri = "(? P . *) ", S * response = "(? P . *) ", S * opaque = "(? P . *) ", S * qop = (? P . *), S * nc = (? P . *), S * cnonce = "(? P . *) "/', $ _ SERVER ['php _ AUTH_DIGEST'], $ digest );
If (! Isset ($ users [$ digest ['username'])
Die ('username not valid! ');
// Generate the valid response
$ A1 = md5 ($ digest ['username']. ':'. $ realm. ':'. $ users [$ digest ['username']);
$ A2 = md5 ($ _ SERVER ['request _ method']. ':'. $ digest ['uri ']);
$ Valid_response = md5 ($ A1. ':'. $ digest ['nonce ']. ':'. $ digest ['nc ']. ':'. $ digest ['cnonce ']. ':'. $ digest ['qop ']. ':'. $ A2 );
If ($ digest ['response']! = $ Valid_response)
Die ('wrong Credentials! ');
// OK, valid username & password
Echo 'your are logged in as: '. $ digest ['username'];
?>
Compatibility problem: be extremely careful when writing HTTP header code. To ensure compatibility with all clients, the first letter of the keyword "Basic" must be capitalized as "B ", the Demarcation string must be referenced in double quotation marks (not single quotes). In the header line HTTP/1.0 401, there must be only one space before 401.
In the above example, only the values of PHP_AUTH_USER and PHP_AUTH_PW are printed. However, in actual use, you may need to check the validity of the user name and password, or query the database tutorial, it may be retrieved from the dbm file.
Note that some Internet Explorer browsers have problems. It seems a bit picky about the order of headers. It seems that sending the WWW-Authenticate header before sending HTTP/1.0 401 seems to solve this problem.
Since PHP 4.3.0, in order to prevent users from getting passwords from pages authenticated by the traditional external mechanism by writing scripts, when the external authentication is effective for a specific page and the security mode is enabled, the PHP_AUTH variable will not be set, but in any case, REMOTE_USER can be used to identify external authenticated users. Therefore, you can use the $ _ SERVER ['remote _ user'] variable.
Configuration Description: PHP uses the AuthType command to determine whether the external authentication mechanism is effective.
Note: This still prevents unauthorized URLs from stealing passwords from authenticated URLs on the same server.
Both Netscape Navigator and Internet Explorer clear the Windows Authentication cache of all local browsers in the entire domain when they receive messages from the 401 server. This effectively cancels a user, and force them to re-enter their usernames and passwords. Some people use this method to "expire" the logon status or respond as a "logout" button.
Example 34-3. Example of HTTP authentication that forces the user name and password to be re-entered
The Code is as follows:
<? Php
Function authenticate (){
Header ('www-Authenticate: Basic realm = "Test Authentication System "');
Header ('HTTP/1.0 401 unauthorized ');
Echo "You must enter a valid login ID and password to access this resourcen ";
Exit;
}
If (! Isset ($ _ SERVER ['php _ AUTH_USER ']) |
($ _ POST ['seenbefore'] = 1 & $ _ POST ['oldauth '] = $ _ SERVER ['php _ AUTH_USER']) {
Authenticate ();
}
Else {
Echo"
Welcome: {$ _ SERVER ['php _ AUTH_USER ']}
";
Echo "Old: {$ _ REQUEST ['oldau']}";
Echo"
N ";
}
?>
This behavior is not necessary for the Basic Authentication Standard of HTTP. Therefore, you cannot rely on this method. Tests on the Lynx browser show that Lynx does not clear the authentication file when it receives information from the 401 server, therefore, as long as the authentication file check requirements remain unchanged, as long as the user clicks the "back" button and then click the "Forward" button, the original resources can still be accessed, you can press the _ key to clear their authentication information.
In the following example, the variables $ PHP_AUTH_USER and $ PHP_AUTH_PW are used to verify whether the entrant is valid and allow access. In this example, the user names and password pairs that are allowed to log on are tnc and nature:
The Code is as follows: