Simulate HTTP authentication using PHP

Source: Internet
Author: User
Tags http authentication password protection
If you want to implement password protection based on each script, you can create a basic authentication mechanism by combining the header () function with the $ PHP_AUTH_USER and $ PHP_AUTH_PW global variables. Generally, the server-based authentication request response process is as follows: 1. the user requests a file from a Web server. If the file is in a protected area, if you want to implement password protection based on each script, you can combine the header () function and $ PHP_AUTH_USER and $ PHP_AUTH_PW global variables to create a basic authentication mechanism. Generally, the server-based authentication request/response process is as follows:



1. the user requests a file from a Web server. If the file is in a protected area, the server adds a 401 (invalid user) string to the response data header as a response.

2. the user name/password dialog box is displayed after the browser sees the response.

3. enter the user name and password in the dialog box, and click "OK" to send the information back to the server for authentication.

4. if the user name and password are valid, the protected file will be displayed to the user. This validation will continue to be valid for the duration of the verified user in the protected area.

A simple PHP script can simulate the HTTP authentication request/response system by sending an appropriate HTTP header to automatically display the username/password dialog box on the client screen. PHP stores the user input dialog box information in the $ PHP_AUTH_USER and $ PHP_AUTH_PW variables. By using these variables, you can store a list that does not comply with the user name/password test to a text file, database, or wherever you want.

Note: The global variables $ PHP_AUTH_USER, $ PHP_AUTH_PW, and $ PHP_AUTH_TYPE are valid only when PHP is installed as a module. If you are using the CGI version of PHP, you will be limited to using htaccess-based or database-based authentication methods. you can enter the user name and password through the HTML form, and then let PHP check the validity.

This example shows a confirmation check for the two hardware encoding values, regardless of where the user name and password are stored, which is theoretically identical.


/* Check the values of $ PHP_AUTH_USER and $ PHP_AUTH_PW */

If ((! Isset ($ PHP_AUTH_USER) | (! Isset ($ PHP_AUTH_PW ))){

/* Null value: send the data header that generates the display text box */

Header ('www-Authenticate: Basic realm = "My Private Stuff "');

Header ('http/1.0 401 unauthorized ');

Echo 'authorization Required .';

Exit;

} Else if (isset ($ PHP_AUTH_USER) & (isset ($ PHP_AUTH_PW ))){

/* Check whether the variable value exists */

If ($ PHP_AUTH_USER! = "Validname") | ($ PHP_AUTH_PW! = "Goodpassword ")){

/* If the user name or password is incorrect, send the data header that generates the display text box */

Header ('www-Authenticate: Basic realm = "My Private Stuff "');

Header ('http/1.0 401 unauthorized ');

Echo 'authorization Required .';

Exit;

} Else if ($ PHP_AUTH_USER = "validname") | ($ PHP_AUTH_PW = "goodpassword ")){

/* The user name and password are correct, and the success information is output */

Echo"

You're authorized!

";

}

}

?>

You must note that when you are using file-based protection, this method does not provide comprehensive security for directories .. This is obvious to most people, but if your brain establishes a connection between the pop-up dialog box and the protection of the given directory, you should consider it further ..

Julie Meloni is the technical director of i2i Interactive and a strong promoter of the Linux and open source communities. She has written many books on PHP and other technologies and has become an expert with long-term contributions to CNET Builder.com.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.