This article mainly introduces the usage of php form-based password verification and HTTP authentication, and analyzes in detail the principles and precautions of form-based password verification and HTTP authentication in the form of instances, it has some reference value. if you need it, you can refer to the example in this article to describe how php uses form-based password verification and HTTP verification. Share it with you for your reference. The specific analysis is as follows:
The HTTP authentication mechanism of PHP is only valid when PHP runs in the Apache module mode. Therefore, this function is not applicable to CGI versions. In the PHP script of the Apache module, you can use the header () function to send the "Authentication Required" message to the client browser to bring up a user name/password input window. After the user enters the user name and password, the pre-defined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE will be added to the PHP script containing the URL. these three variables are set as user names respectively, password and authentication type. The predefined variables are stored in the $ _ SERVER or $ HTTP_SERVER_VARS array. Supports "Basic" and "Digest" (from PHP 5.1.0) authentication methods. If you are interested, you can refer to the header () function information.
PHP version: global variables of Autoglobals, including $ _ SERVER, are valid for PHP 4.1.0 and $ HTTP_SERVER_VARS is valid for PHP 3.
The following is an example of a script that forces client authentication on the page.
Example 34-1. Basic HTTP authentication
The code is as follows:
<? Php
If (! Isset ($ _ SERVER ['php _ AUTH_USER ']) {
Header ('www-Authenticate: Basic realm = "My Realm "');
Header ('http/1.0 401 unauthorized ');
Echo 'text to send if user hits Cancel button ';
Exit;
} Else {
Echo"
Hello {$ _ SERVER ['php _ AUTH_USER ']}.
";
Echo"
You entered {$ _ SERVER ['php _ AUTH_PW ']} as your password.
";
}
?>
Example 34-2. Digest HTTP authentication example
This example shows how to implement a simple Digest HTTP authentication script. For more information, see RFC 2617.
The code is as follows:
<? Php
$ Realm = 'restricted region ';
// User => password
$ Users = array ('admin' => 'mypass', 'guest '=> 'guest ');
If (! Isset ($ _ SERVER ['php _ AUTH_DIGEST ']) {
Header ('http/1.1 401 unauthorized ');
Header ('www-Authenticate: Digest realm = "'. $ realm.
'"Qop =" auth "nonce ="'. uniqid (). '"opaque ="'. md5 ($ realm ).'"');
Die ('text to send if user hits Cancel button ');
}
// Analize the PHP_AUTH_DIGEST variable
Preg_match ('/username = "(? P . *) ", S * realm = "(? P . *) ", S * nonce = "(? P . *) ", S * uri = "(? P . *) ", S * response = "(? P . *) ", S * opaque = "(? P . *) ", S * qop = (? P . *), S * nc = (? P . *), S * cnonce = "(? P . *) "/', $ _ SERVER ['php _ AUTH_DIGEST'], $ digest );
If (! Isset ($ users [$ digest ['username'])
Die ('username not valid! ');
// Generate the valid response
$ A1 = md5 ($ digest ['username']. ':'. $ realm. ':'. $ users [$ digest ['username']);
$ A2 = md5 ($ _ SERVER ['request _ method']. ':'. $ digest ['uri ']);
$ Valid_response = md5 ($ A1. ':'. $ digest ['nonce ']. ':'. $ digest ['NC ']. ':'. $ digest ['cnonce ']. ':'. $ digest ['qop ']. ':'. $ A2 );
If ($ digest ['response']! = $ Valid_response)
Die ('wrong Credentials! ');
// OK, valid username & password
Echo 'Your are logged in as: '. $ digest ['username'];
?>
Compatibility:Exercise caution when writing HTTP header code. to ensure compatibility with all clients, the first letter of the keyword "Basic" must be capitalized as "B ", the demarcation string must be referenced in double quotation marks (not single quotes). in the header line HTTP/1.0 401, there must be only one space before 401.
In the above example, only the values of PHP_AUTH_USER and PHP_AUTH_PW are printed. However, in actual use, you may need to check the validity of the user name and password, or query the database tutorial, it may be retrieved from the dbm file.
Note that some Internet Explorer browsers have problems. It seems a bit picky about the order of headers. It seems that sending the WWW-Authenticate header before sending HTTP/1.0 401 seems to solve this problem.
Since PHP 4.3.0, in order to prevent users from getting passwords from pages authenticated by the traditional external mechanism by writing scripts, when the external authentication is effective for a specific page and the security mode is enabled, the PHP_AUTH variable will not be set, but in any case, REMOTE_USER can be used to identify external authenticated users. Therefore, you can use the $ _ SERVER ['remote _ user'] variable.
Configuration instructions:PHP uses the AuthType command to determine whether the external authentication mechanism is effective.
Note: This still prevents unauthorized URLs from stealing passwords from authenticated URLs on the same server.
Both Netscape Navigator and Internet Explorer clear the Windows Authentication cache of all local browsers in the entire domain when they receive messages from the 401 server. this effectively cancels a user, and force them to re-enter their usernames and passwords. some people use this method to "expire" the logon status or respond as a "logout" button.
Example 34-3. example of HTTP authentication that forces the user name and password to be re-entered
The code is as follows:
<? Php
Function authenticate (){
Header ('www-Authenticate: Basic realm = "Test Authentication System "');
Header ('http/1.0 401 unauthorized ');
Echo "You must enter a valid login ID and password to access this resourcen ";
Exit;
}
If (! Isset ($ _ SERVER ['php _ AUTH_USER ']) |
($ _ POST ['seenbefore'] = 1 & $ _ POST ['oldauth '] = $ _ SERVER ['php _ AUTH_USER']) {
Authenticate ();
}
Else {
Echo"
Welcome: {$ _ SERVER ['php _ AUTH_USER ']}
";
Echo "Old: {$ _ REQUEST ['oldau']}";
Echo"
N ";
}
?>
This behavior is not necessary for the Basic authentication standard of HTTP. Therefore, you cannot rely on this method. tests on the Lynx browser show that Lynx does not clear the authentication file when it receives information from the 401 server, therefore, as long as the authentication file check requirements remain unchanged, as long as the user clicks the "back" button and then click the "forward" button, the original resources can still be accessed, you can press the _ KEY to clear their authentication information.
In the following example, the variables $ PHP_AUTH_USER and $ PHP_AUTH_PW are used to verify whether the entrant is valid and allow access. In this example, the user names and password pairs that are allowed to log on are tnc and nature:
The code is as follows:
<? Php
If (! Isset ($ PHP_AUTH_USER ))
{
Header ("WWW-Authenticate: Basic realm =" My Realm "");
Header ("HTTP/1.0 401 Unauthorized ");
Echo "Text to send if user hits Cancel buttonn ";
Exit;
}
Else
{
If (! ($ PHP_AUTH_USER = "tnc" & $ PHP_AUTH_PW = "nature "))
{
// If the user name or password pair is incorrect, force re-verification
Header ("WWW-Authenticate: Basic realm =" My Realm "");
Header ("HTTP/1.0 401 Unauthorized ");
Echo "ERROR: $ PHP_AUTH_USER/$ PHP_AUTH_PW is invalid .";
Exit;
}
Else
{
Echo "Welcome tnc! ";
}
?>
In fact, in actual reference, it is unlikely that the above user name/password pairs are used, but the database or encrypted password files are used to access them.
Verify the user identity based on the specified authentication information:
First, we can use the following code to determine whether the user has entered the user name and password, and display the information entered by the user.
The code is as follows:
<? Php
If (! Isset ($ PHP_AUTH_USER )){
Header ('www-Authenticate: Basic realm = "My Private Stuff "');
Header ('http/1.0 401 unauthorized ');
Echo 'authorization Required .';
Exit;
}
Else {
Echo"
You have entered this username: $ PHP_AUTH_USER
You have entered this password: $ PHP_AUTH_PW
The authorization type is: $ PHP_AUTH_TYPE
";
}
?>
Note:
The isset () function is used to determine whether a variable has been assigned a value. true or false is returned based on whether the variable value exists.
The header () function is used to send specific HTTP headers. Note that when using the header () function, you must call this function before any HTML or PHP code that generates actual output.
Although the above code is quite simple and does not validate the user name and password entered by the user based on any actual value, at least we understand how to use PHP to generate an input dialog box on the client.
Next, let's take a look at how to verify the user identity based on the specified authentication information. the code is as follows:
The code is as follows:
<? Php
If (! Isset ($ PHP_AUTH_USER )){
Header ('www-Authenticate: Basic realm = "My Private Stuff "');
Header ('http/1.0 401 unauthorized ');
Echo 'authorization Required .';
Exit;
}
Else if (isset ($ PHP_AUTH_USER )){
If ($ PHP_AUTH_USER! = "Admin") | ($ PHP_AUTH_PW! = "123 ")){
Header ('www-Authenticate: Basic realm = "My Private Stuff "');
Header ('http/1.0 401 unauthorized ');
Echo 'authorization Required .';
Exit;
} Else {
Echo"
You're authorized!
";
}
}
?>
Here, we first check whether the user has entered the user name and password. if not, a dialog box is displayed asking the user to enter the identity information. then, we determine whether the information entered by the user complies with the specified admin/123 user account to grant the user access permission or prompt the user to enter the correct information again, this method applies to websites where all users use the same logon account.
Another simple password verification method
If you write and run your PHP script under Windows 98, or you install PHP into a CGI program by default under Linux, you will not be able to use the above PHP program to implement the verification function. For this reason, there is no limit to providing you with another simple password verification method, although not practical, but it is good to learn it.
The code is as follows:
<? Php
If ($ _ POST [Submit] = "Submit") {// if the user submits data, perform the operation
$ Password = $ _ POST [password]; // obtain user input data and save it in the variable password
$ Cpassword =$ _ POST [cpassword]; // Obtain the validation data entered by the user and save it in the variable $ cpassord
If (emptyempty ($ password) | emptyempty ($ cpassword ))
{
Die ("password cannot be blank! ");
}
Elseif (strlen ($ password) <5) | (strlen ($ password)> 15 )))
{
Die ("The password length is between 5 and 15 ");
}
// --- Value Comparison
Elseif (! (Strlen ($ password) = strlen ($ cpassword )))
{
Die ("The two passwords do not match! ");
}
Elseif (! ($ Password ===$ cpassword) // compare the value and data type
{
Die ("two passwords do not match! ");
}
Else // cyclically output the password. because the password is used, the * number is output.
{
For ($ I = 0; $ I {
Echo "*";
}
}
}
?>
Form verification-password field verification
I hope this article will help you with php programming.