PHP based on Forms Password authentication and HTTP authentication usages, form instance _php tutorial

Source: Internet
Author: User
Tags http authentication

PHP based on Forms Password authentication and HTTP authentication usage instances, form instances


The examples in this article describe the use of PHP based on Forms Password authentication and HTTP authentication. Share to everyone for your reference. The specific analysis is as follows:

PHP's HTTP authentication mechanism only works when PHP is running as an Apache module, so this feature is not available for CGI versions. In the Apache module PHP script, you can use the header () function to send the "authentication Required" message to the client browser, which pops up a username/Password Entry window. When the user enters the user name and password, the PHP script containing the URL will be prefixed with the predefined variable php_auth_user, PHP_AUTH_PW and Auth_type are called again, the three variables are set to the user name, password and authentication type respectively. The predefined variables are saved in the $_server or $HTTP _server_vars array. Support for "Basic" and "Digest" (since PHP 5.1.0) authentication method. Interested friends can refer to the header () function related information.

PHP version problem: Autoglobals global variables, including $_server, since PHP 4.1.0 effective, $HTTP _server_vars starting from PHP 3.

The following is a sample script that forces client authentication on the page.

Example 34-1. Basic HTTP Authentication Example
Copy the Code code as follows: <?php
if (!isset ($_server [' Php_auth_user '])) {
Header (' Www-authenticate:basic realm= ' My realm ');
Header (' http/1.0 401 Unauthorized ');
Echo ' Text to send if user hits Cancel button ';
Exit
} else {
echo "

Hello {$_server [' Php_auth_user ']}.

" ;
echo "

You entered {$_server [' PHP_AUTH_PW ']} as your password.

" ;
}
?>
Example 34-2. Digest HTTP Authentication Example

This example shows how to implement a simple Digest HTTP authentication script, for more information, refer to RFC 2617.
Copy CodeThe code is as follows: <?php
$realm = ' Restricted area ';
user = password
$users = Array (' admin ' = = ' Mypass ', ' guest ' = ' guest ');

if (!isset ($_server [' php_auth_digest '])) {
Header (' http/1.1 401 Unauthorized ');
Header (' Www-authenticate:digest realm= '. $realm.
' "qop=" auth "nonce=". Uniqid (). ' "opaque=". MD5 ($realm). '"' );
Die (' Text to send if user hits Cancel button ');
}
Analize the php_auth_digest variable
Preg_match ('/username= ' (? P . *) ", s*realm=" (? P . *) ", s*nonce=" (? P . *) ", s*uri=" (? P . *) ", s*response=" (? P . *) ", s*opaque=" (? P . *) ", s*qop= (? P . *), s*nc= (? P . *), s*cnonce= "(? P . *) "/', $_server [' php_auth_digest '], $digest);
if (!isset ($users [$digest [' username]])
die (' username not valid! ');

//Generate the valid response
$A 1 = MD5 ($digest [' username ']. ':' . $realm. ':' . $users [$digest [' username ']];
$A 2 = MD5 ($_server [' Request_method ']. ':' . $digest [' URI ']);
$valid _response = MD5 ($A 1. ':' . $digest [' nonce ']. ':' . $digest [' NC ']. ':' . $digest [' cnonce ']. ':' . $digest [' Qop ']. ':' . $A 2);
if ($digest [' response ']! = $valid _response)
die (' wrong credentials! ');
//OK, valid username & password
echo ' Your is logged in as: '. $digest [' username '];
?>
compatibility issue: when writing HTTP header code, take extra care to ensure compatibility for all clients, the first letter of the keyword "Basic" must be capitalized as "B", The delimited string must be quoted in double quotation marks (not single quotes), and in the header row http/1.0 401, there must be only one space before 401.

In the above example, only the values of Php_auth_user and PHP_AUTH_PW are printed, but in practice, the legality of the user name and password may need to be checked, perhaps a database tutorial query, perhaps retrieved from the dbm file.

Note that some Internet Explorer browsers themselves have problems. It seems a bit fastidious about the order of the headers. It seems to be possible to resolve this issue by sending the Www-authenticate header before sending http/1.0 401.

Since PHP 4.3.0, in order to prevent someone from writing a script from the traditional external mechanism authentication of the page to obtain the password, when the external authentication is valid for a specific page, and the security mode is turned on, the Php_auth variable will not be set, but anyway, remote_user Can be used to identify external authentication users, so you can use $_server[' remote_user '] variables.

Configuration Description: PHP uses the AUTHTYPE directive to determine whether an external authentication mechanism is valid.

Note that this still does not prevent someone from stealing passwords from authenticated URLs on the same server through an unauthenticated URL.

Netscape Navigator and Internet Explorer browsers will clear the Windows authentication cache for the entire domain of all local browsers when they receive 401 of the service-side return information, which effectively unregisters a user. and forcing them to reenter their username and password, some people use this method to "expire" the login status, or act as a response to the "logout" button.

Example 34-3. Example of an HTTP authentication forcing re-entry of a user name and password
Copy the Code code as follows: <?php
function Authenticate () {
Header (' Www-authenticate:basic realm= ' Test authentication System "');
Header (' http/1.0 401 Unauthorized ');
echo "You must enter a valid login ID and password to access this Resourcen";
Exit
}
if (!isset ($_server [' Php_auth_user ')] | |
($_post [' seenbefore '] = = 1 && $_post [' oldauth '] = = $_server [' Php_auth_user '])) {
Authenticate ();
}
else {
echo "

Welcome: {$_server [' Php_auth_user ']}
" ;
echo "old: {$_request [' Oldauth ']}";
echo "

n ";
}
?>
This behavior is not necessary for the Basic authentication standard of HTTP, so it is not possible to rely on this method, the test of Lynx browser indicates that Lynx does not empty the authentication file when it receives 401 of the service-side return information, so as long as the inspection requirements for the authentication file do not change, as long as the user clicks "Back" button, and then click the "Forward" button, the original resources can still be accessed, however, users can press "_" key to clear their authentication information.

In the following example, we use two variables, $php_auth_user and $PHP_AUTH_PW, to verify that the entrants are legitimate and allow entry. In this example, the user name and password pairs that are allowed to log in are TNC and nature, respectively:
Copy the Code code as follows: <?php
if (!isset ($PHP _auth_user))
{
Header ("Www-authenticate:basic realm=" "My Realm");
Header ("http/1.0 401 Unauthorized");
echo "Text to send if user hits Cancel buttonn";
Exit
}
Else
{
if (! ( $PHP _auth_user== "TNC" && $PHP _auth_pw== "nature"))
{
If the user name/password pair is incorrect, force re-authentication
Header ("Www-authenticate:basic realm=" "My Realm");
Header ("http/1.0 401 Unauthorized");
echo "ERROR: $PHP _auth_user/$PHP _AUTH_PW is invalid.";
Exit
}
Else
{
echo "Welcome tnc!";
}
?>
In fact, it is unlikely that the actual references will be used to access them using either a database or an encrypted password file, as shown above with the explicit user name/password pair of the code snippet.

Verify the identity of the user based on the specified authentication information:

First, we can use the following code to determine whether a user has entered a user name and password and displays the information entered by the user.
Copy the Code code as follows: <?php
if (!isset ($PHP _auth_user)) {
Header (' Www-authenticate:basic realm= ' My Private Stuff ');
Header (' http/1.0 401 Unauthorized ');
Echo ' Authorization Required. ';
Exit
}
else {
echo "

You are entered this username: $PHP _auth_user

You are entered this password: $PHP _AUTH_PW

The authorization type is: $PHP _auth_type

";
}
?>
Description:

The Isset () function is used to determine whether a variable has been assigned a value, and returns TRUE or false depending on whether the variable value exists.

The header () function is used to send a specific HTTP header, note that when using the header () function, be sure to call the function before any HTML or PHP code that produces the actual output.

Although the above code is fairly straightforward, there is no valid validation of user names and passwords entered by the user based on any actual values, but at least we have learned how to generate input dialogs in the client using PHP.

Below, let's look at how to verify the identity of the user based on the specified authentication information, as follows:
Copy the Code code as follows: <?php
if (!isset ($PHP _auth_user)) {
Header (' Www-authenticate:basic realm= ' My Private Stuff ');
Header (' http/1.0 401 Unauthorized ');
Echo ' Authorization Required. ';
Exit
}
else if (isset ($PHP _auth_user)) {
if ($PHP _auth_user! = "Admin") | | ($PHP _AUTH_PW! = "123")) {
Header (' Www-authenticate:basic realm= ' My Private Stuff ');
Header (' http/1.0 401 Unauthorized ');
Echo ' Authorization Required. ';
Exit
} else {
echo "

You ' re authorized!

";
}
}
?>
Here, we first check whether the user has entered the user name and password, if not, pop up the corresponding dialog box to ask the user to enter identity information, and then, we determine whether the user entered the information is consistent with admin/123 this specified user account to grant users access rights or prompt the user to enter the correct information again , this method works for sites where all users use the same login account.

Another easy way to verify your password

If you are writing and running your PHP script under Windows98, or if you are installing PHP as a CGI program under Linux by default, you will not be able to use the PHP program above to implement the verification function. Boundless to provide you with another simple method of password verification, although not practical, but it is very good to learn.
Copy CodeThe code is as follows: <?php
if ($_post[submit]== "commit") {//If the user submits the data, the action is taken
$password =$_post[password]; Get the data entered by the user and save in the variable password
$cpassword =$_post[cpassword]; Gets the confirmation data entered by the user, saved in the variable $cpassord
if (Emptyempty ($password) | | emptyempty ($CPASSWORD))
{
Die ("Password is not empty!");
}
ElseIf ((strlen ($password) < 5) | | (strlen ($password) > 15)))
{
Die ("Password length between 5 and 15");
}
Comparison of---values
ElseIf (! ( strlen ($password) = = strlen ($cpassword)))
{
Die ("Two input password does not match!");
}
ElseIf (! ( $password = = = $cpassword))//value and data type comparison
{
Die ("two times password mismatch!");
}
else//loop output password, because it is a password so the output * number
{
for ($i =0; $i
{
echo "*";
}
}
}
?>



<title>Form validation-Password field validation</title>




I hope this article is helpful to everyone's PHP programming.

http://www.bkjia.com/PHPjc/938851.html www.bkjia.com true http://www.bkjia.com/PHPjc/938851.html techarticle PHP based on Forms Password authentication and HTTP authentication usage instances, form instances This article describes the PHP based on Form password authentication and HTTP authentication usage. Share to everyone for your reference. Specific analysis ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.