When designing and maintaining websites, users often need to restrict access to some important files or information. Generally, we can adopt an HTTP-based user authentication mechanism built into the WEB server. When a visitor browses a protected page, the client browser will pop up a dialog window asking the user to enter the user name and password to verify the user's identity to determine whether the user has the right to access the page. The following two methods are used to describe the implementation principle.
1. Implement HTTP headers
The header is the string sent by the server before the server sends HTML information to the browser over HTTP. HTTP uses a challenge/response mode to authenticate users attempting to enter the password-protected area. Specifically, when a user sends a request to the WEB server for the first time to access the protected area, the challenge process is started, and the server returns a special 401 header, indicating that the user's identity is not verified. After the client browser detects the above response, a dialog box is displayed automatically asking the user to enter the user name and password. After the user completes the input, click "OK". The user's identification information is sent to the server for verification. If the user name and password entered by the user are valid, the WEB server allows the user to enter the protected area and maintain the identity validity throughout the access process. On the contrary, if the user name or password entered by the user cannot be verified, the client browser will pop up the input window asking the user to try again to enter the correct information. The entire process will continue until the user enters the correct information location. You can also set the maximum number of attempts allowed to the user. When the limit is exceeded, the user's access request will be automatically rejected.
In the PHP script, use the function header () to directly send the HTTP header to the browser of the client. In this way, the user name and password input window will pop up automatically on the client to implement our identity authentication function. In PHP, the information entered by the client user is automatically stored in three global variables: $ PHP_AUTH_USER, $ PHP_AUTH_PW, and $ PHP_AUTH_TYPE. With these three variables, we can verify the user identity based on the user account information stored in the data file or database!
However, you must note that the $ PHP_AUTH_USER, $ PHP_AUTH_PW, and $ PHP_AUTH_TYPE variables can be used only in PHP installed in module mode. If you are using CGI-mode PHP, the verification function cannot be implemented. Install PHP modules later in this section.
Next we will use the Mysql database to store the user's identity. We need to extract the username and password of each account from the database to compare with the $ PHP_AUTH_USER and $ PHP_AUTH_PW variables to determine the authenticity of the user.
First, create a database for storing user information in MySql.
The database name is XinXiKu and the table name is user. The table definition is as follows:
Create table user (
Id int (4) not null AUTO_INCREMENT,
Name VARCHAR (8) not null,
Password CHAR (8) not null,
Primary key (ID)
)
Note:
1. ID is a serial number, which is not zero and increases automatically. It is the primary key;
2. name is the user name and cannot be blank;
3. The password is a user password and cannot be blank;
The following is the user authentication file login. php.
// Determine whether the user name is set
If (! Isset ($ PHP_AUTH_USER )){
Header ("WWW-Authenticate: Basic realm =" authentication function "");
Header ("HTTP/1.0 401 Unauthorized ");
Echo "authentication failed. You do not have permission to share network resources! ";
Exit ();
}
/* Connect to the database */
$ Db = mysql_connect ("localhost", "root ","");
// Select a database
Mysql_select_db ("XinXiKu", $ db );
// Query whether a user exists
$ Result = mysql_query ("SELECT * FROM user where name = $ PHP_AUTH_USER and password = $ PHP_AUTH_PW", $ db );
If ($ myrow = mysql_fetch_row ($ result )){
// Perform the following operations after authentication is successful:
...
} Else {
// The authentication fails, and the user is prompted to re-enter
Header ("WWW-Authenticate: Basic realm =" authentication function "");
Header ("HTTP/1.0 401 Unauthorized ");
Echo "authentication failed. You do not have permission to share network resources! ";
Exit ();
}
?>
Program description:
In the program, first check whether the variable $ PHP_AUTH_USER has been set. If no authentication is set, the script sends an HTTP 401 error header, telling the client browser that authentication is required. An Authentication Window is displayed in the client browser, prompt the user to enter the user name and password. after entering the password, connect to the database and check whether the user name and password are correct. If the user name and password are correct, Allow logon to perform related operations. If the user name and password are incorrect, the user is required to enter the user name and password.
Function Description:
1. isset (): used to determine whether a variable has been assigned a value. Returns true or false based on whether the variable value exists.
2. header (): used to send specific HTTP headers. Note: when using the header () function, you must call this function before any HTML or PHP code that generates the actual output.
3. mysql_connect (): Open the MySQL server connection.
4. mysql_db_query (): Send the query string to the MySQL database.
5. mysql_fetch_row (): Return fields in a single column.
Ii. Server verification using session
For pages that require authentication, it is best to use the apache server for authentication. However, the interface for apache server authentication is unfriendly. In addition, php in cgi Mode and php in iis cannot be verified using the apache server. In this way, we can use the session to save the user identity between different pages to achieve the purpose of identity authentication.
At the backend, we also use the above Mysql database to store user information.
First, we compile a user login interface named login. php. The Code class is as follows:
____________________________________________________________
<Form action = "login1.php">
Username: <input type = "text" name = "name"> <br>
Command: <input type = "text" name = "pass"> <br>
<Input type = "submit" value = "login">
</Form>
____________________________________________________________
The code for login1.php to process the submitted form is as follows:
$ Db = mysql_connect ("localhost", "root ","");
Mysql_select_db ("XinXiKu", $ db );
$ Result = mysql_query ("SELECT * FROM user where name = $ name and password = $ pass", $ db );
If ($ myrow = mysql_fetch_row ($ result )){
// Register a user
Session_start ();
Session_register ("user ");
$ User = $ myrow ["user"];
// Complete the authentication.
...
} Else {
Echo "authentication failed. You do not have permission to share network resources! ";
}
?>
You can use ** http: // domainname/next. php? User = username ** to bypass authentication. Therefore, follow-up operations should first check whether the variable is registered: if it is already registered, perform the corresponding operations; otherwise, it is deemed as illegal logon. The related code is as follows:
Session_start ();
If (! Session_is_registered ("user ")){
Echo "authentication failed. Illegal logon! ";
} Else {
// Log on successfully for related operations
...
}
?>
Appendix: PHP module Installation Method
1. First download the file: mod_php4-4.0.1-pl2. [If you are not using PHP4, upgrade it now.]
There are three files after unzipping: mod_php4.dll1_mod_php4.conf1_readme.txt
2. Copy Related Files
Copy mod_php4.dll to the modules directory of the apache installation directory.
Copy mod_php4.conf to the conf directory of the apache installation directory.
Copy the msvcrt. dll file to the apache installation directory.
3. Open the conf/srm. conf file and add a sentence to it.
Include conf/mod_php4.conf
Before doing this, please remove all the settings statements about the CGI Mode in your httpd. conf, which is similar to the following section!
ScripAlias/php4/"C:/php4 /"
AddType application/x-httpd-php4. php
AddType application/x-httpd-php4. php3
AddType applications/x-httpd-php4. php4
Action application/x-httpd-php4/php4/php.exe
It's okay to make PHP support more extensions. The configuration file mod_php4.conf already supports three extensions: php, php3, and php4. If you want to support more extensions, you can change the file.
4. Test
Use <? Phpinfo ();?> Test. The Server API value is apache, not cgi, And there is Information about HTTP Headers Information.