Php form-based password verification and HTTP verification usage

Source: Internet
Author: User
Tags http authentication php form
The HTTP authentication mechanism of PHP is only valid when PHP runs in the Apache module mode. Therefore, this function is not applicable to CGI versions. In the PHP script of the Apache module, you can use the header () function to forward... the HTTP authentication mechanism of PHP is only valid when PHP runs in the Apache module mode. Therefore, this function is not applicable to CGI versions. In the PHP script of the Apache module, you can use the header () function to send the "Authentication Required" message to the client browser to bring up a user name/password input window. After the user enters the user name and password, the pre-defined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE will be added to the PHP script containing the URL. these three variables are set as user names respectively, password and authentication type. The predefined variables are stored in the $ _ SERVER or $ HTTP_SERVER_VARS array. Supports "Basic" and "Digest" (from PHP 5.1.0) authentication methods. For more information, see the header () function.

PHP version: global variables of Autoglobals, including $ _ SERVER, are valid for PHP 4.1.0 and $ HTTP_SERVER_VARS is valid for PHP 3.

The following is an example of a script that forces client authentication on the page.

Example 34-1. Basic HTTP authentication

 Hello { $_SERVER [ 'PHP_AUTH_USER' ]} .

" ; echo "

You entered { $_SERVER [ 'PHP_AUTH_PW' ]} as your password.

" ; }

Example 34-2. Digest HTTP authentication example

This example shows how to implement a simple Digest HTTP authentication script. For more information, see RFC 2617.

  password  $users = array( 'admin' => 'mypass' , 'guest' => 'guest' );  if (!isset( $_SERVER [ 'PHP_AUTH_DIGEST' ])) {       header ( 'HTTP/1.1 401 Unauthorized' );       header ( 'WWW-Authenticate: Digest realm="' . $realm .              '" qop="auth" nonce="' . uniqid (). '" opaque="' . md5 ( $realm ). '"' );     die( 'Text to send if user hits Cancel button' );  } // analize the PHP_AUTH_DIGEST variable  preg_match ( '/username="(?P
          .*)"/' , $_SERVER [ 'PHP_AUTH_DIGEST' ], $digest ); if (!isset( $users [ $digest [ 'username' ]])) die( 'Username not valid!' ); // generate the valid response $A1 = md5 ( $digest [ 'username' ] . ':' . $realm . ':' . $users [ $digest [ 'username' ]]); $A2 = md5 ( $_SERVER [ 'REQUEST_METHOD' ]. ':' . $digest [ 'uri' ]); $valid_response = md5 ( $A1 . ':' . $digest [ 'nonce' ]. ':' . $digest [ 'nc' ]. ':' . $digest [ 'cnonce' ]. ':' . $digest [ 'qop' ]. ':' . $A2 ); if ( $digest [ 'response' ] != $valid_response ) die( 'Wrong Credentials!' ); // ok, valid username & password echo 'Your are logged in as: ' . $digest [ 'username' ];

Compatibility problem: Be extremely careful when writing HTTP header code. to ensure compatibility with all clients, the first letter of the keyword "Basic" must be capitalized to "B ", the demarcation string must be referenced in double quotation marks (not single quotes). in the header line HTTP/1.0 401, there must be only one space before 401.

In the above example, only the values of PHP_AUTH_USER and PHP_AUTH_PW are printed. However, in actual use, you may need to check the validity of the user name and password, or query the database tutorial, it may be retrieved from the dbm file.

Note that some Internet Explorer browsers have problems. It seems a bit picky about the order of headers. It seems that sending the WWW-Authenticate header before sending HTTP/1.0 401 seems to solve this problem.

Since PHP 4.3.0, in order to prevent users from getting passwords from pages authenticated by the traditional external mechanism by writing scripts, when the external authentication is effective for a specific page and the security mode is enabled, the PHP_AUTH variable will not be set, but in any case, REMOTE_USER can be used to identify external authenticated users. Therefore, you can use the $ _ SERVER ['remote _ user'] variable.

Configuration description: PHP uses the AuthType command to determine whether the external authentication mechanism is effective.

Note: This still prevents unauthorized URLs from stealing passwords from authenticated URLs on the same server.

Both Netscape Navigator and Internet Explorer clear the Windows Authentication cache of all local browsers in the entire domain when they receive messages from the 401 server. this effectively cancels a user, and force them to re-enter their usernames and passwords. some people use this method to make the logon status "expire", or act as a response to the "logout" button.

Example 34-3. example of HTTP authentication that forces the user name and password to be re-entered

 Welcome: { $_SERVER [ 'PHP_AUTH_USER' ]} 
" ; echo "Old: { $_REQUEST [ 'OldAuth' ]} " ; echo "

n" ; }

This behavior is not necessary for the Basic authentication standard of HTTP. Therefore, you cannot rely on this method. tests on the Lynx browser show that Lynx does not clear the authentication file when it receives information from the 401 server, therefore, as long as the authentication file check requirements remain unchanged, as long as the user clicks the "back" button and then click the "forward" button, the original resources can still be accessed, you can press "_" to clear their authentication information.

In the following example, the variables $ PHP_AUTH_USER and $ PHP_AUTH_PW are used to verify whether the entrant is valid and allow access. In this example, the user names and password pairs that are allowed to log on are tnc and nature:


In fact, in actual reference, it is unlikely that the above user name/password pairs are used, but the database or encrypted password files are used to access them.

6.3 verify the user identity based on the specified authentication information

First, we can use the following code to determine whether the user has entered the user name and password, and display the information entered by the user.

  You have entered this username: $PHP_AUTH_USER
You have entered this password: $PHP_AUTH_PW
The authorization type is: $PHP_AUTH_TYPE

"; }


The isset () function is used to determine whether a variable has been assigned a value. true or false is returned based on whether the variable value exists.

The header () function is used to send specific HTTP headers. Note that when using the header () function, you must call this function before any HTML or PHP code that generates actual output.

Although the above code is quite simple and does not validate the user name and password entered by the user based on any actual value, at least we understand how to use PHP to generate an input dialog box on the client.

Next, let's take a look at how to verify the user identity based on the specified authentication information. the code is as follows:

  You're authorized!

"; } }

Here, we first check whether the user has entered the user name and password. if not, a dialog box is displayed asking the user to enter the identity information. then, we determine whether the information entered by the user complies with the specified admin/123 user account to grant the user access permission or prompt the user to enter the correct information again, this method applies to websites where all users use the same logon account.

6.4 another simple password verification

If you write and run your PHP script under Windows 98, or you install PHP into a CGI program by default under Linux, you will not be able to use the above PHP program to implement the verification function. For this reason, there is no limit to providing you with another simple password verification method, although not practical, but it is good to learn it.

  15) {die ("The password length is between 5 and 15");} // --- compare elseif (! (Strlen ($ password) = strlen ($ cpassword) {die ("The two passwords do not match! ");} Elseif (! ($ Password = $ cpassword) // compare the value with the data type {die ("The two passwords do not match! ");} Else // cyclically output the password. because the password is used, the * number is output. {for ($ I = 0; $ I
   Form verification-password field verification     

Tutorial link:

Reprint at will ~ However, please keep the tutorial address★

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.