Electric Type

Multimedia

About Us

News

Help

Authenticate and Track Users with PHP

Page 2 — HTTP Authentication with PHP

Basic HTTP authentication uses a challenge/response scheme to authenticate users attempting to access a password-protected page. The challenge process begins when the user requests a file from a Web server. If the file is within a protected area, the server responds by sending out a 401 (unauthorized user) string in the header of the response. The browser detects that response and up pops the username/password dialog box. The user enters a username and password in the dialog box, then clicks OK to send the information back to the server for authentication.

If the username and password pair is valid, the protected file will be displayed to the user. The validation will carry through for as long as the now-authenticated user is within the protected area. However, if the username and password typed into the dialog box cannot be authenticated, the dialog box will again be displayed, prompting the user to try again. This cycle will be repeated until the proper username/password combination is entered or the user gives up and slinks away.

A simple PHP script can mimic the HTTP authentication challenge/response system by sending the appropriate HTTP headers that cause the automatic display of the username/password dialog box. PHP stores the information entered in the dialog box in three global variables ($PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE). Using these variables, you can validate input against a username/password list kept in a text file, database, or any other list you have lying about.

NOTE: The $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE global variables are available only when PHP is installed as a module. If you're using the CGI version of PHP, you're limited to .htaccess-based authentication or database-driven authentication using HTML forms to input the username and password and PHP to validate matches.

Let's start slowly, by writing a PHP script that simply checks for a value (any value) for $PHP_AUTH_USER. If no value exists, the script will send a 401 Unauthorized message in the header. This header will cause the username/password dialog box to appear, and execution of the script will halt. After the user enters some values in the dialog box and presses the OK button, the values will be sent and the page will reload. When a value like $PHP_AUTH_USER is entered, the first section of the script will be skipped and the header information will not be sent. Just to prove that I'm not lying to you, the remainder of the script prints the values entered for $PHP_AUTH_USER and $PHP_AUTH_PW. Give it a shot and see how it works.




<?php 

	// File Name: auth01.php
	// Check to see if $PHP_AUTH_USER already contains info

	if (!isset($PHP_AUTH_USER)) {

		// If empty, send header causing dialog box to appear
		header('WWW-Authenticate: Basic realm="My Private Stuff"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;
	}

		// If not empty, display values for variables

	else {

		echo "
		<P>You have entered this username: $PHP_AUTH_USER<br>
		You have entered this password: $PHP_AUTH_PW<br>
		The authorization type is: $PHP_AUTH_TYPE</p>
		";

	}

?>

Admittedly, that wasn't very fun, since the usernames and passwords weren't actually validated against a list. But hey, at least you learned how to pop up that annoying little box.

Next, we'll validate a username/password pair against values hard-coded within the script. This technique is useful if only one username/password combination is used by everyone (for example, "admin"). This script is quite similar to the first example.

First, the $PHP_AUTH_USER variable is checked for a value. If it does not contain a value, the 401 Unauthorized header is sent, which causes the dialog box to appear. Then, if $PHP_AUTH_USER contains a value, it checks that both the username and password match the required values. If $PHP_AUTH_USER contains a value (any value), head into the if/else statement: If an incorrect value has been entered for the username or the password, display that dialog box again. But if the username is valid, then send a message to that effect.




<?php 

	// File Name: auth02.php

	// Check to see if $PHP_AUTH_USER already contains info

	if (!isset($PHP_AUTH_USER)) {

		// If empty, send header causing dialog box to appear

		header('WWW-Authenticate: Basic realm="My Private Stuff"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;

	} else if (isset($PHP_AUTH_USER)) {

		if (($PHP_AUTH_USER != "admin") || ($PHP_AUTH_PW != "abc123")) {

			header('WWW-Authenticate: Basic realm="My Private Stuff"');
			header('HTTP/1.0 401 Unauthorized');
			echo 'Authorization Required.';
			exit;

		} else {
			echo "
			<P>You're authorized!</p>
			";
		}
	} 



?>

Go ahead and try it out. Try entering an incorrect username and a correct password, or a correct username and incorrect password, or an incorrect username and an incorrect password, or — here's a novel idea — enter "admin" for the username and "abc123" for the password.

But what if more than one username and password pair is valid for your protected area? Whether you keep the information in a text file or in a database, you can match those values just as easily as you matched hard-coded values.

next page»

PHP Authentication  

User Blogs

Screen Shots

Latest Updates

Contact Us

Valid HTML 4.01!
Valid CSS!

Breadcrumb

© ElectricType
Maintained by My-Hosts.com
Site map | Copyright | Disclaimer
Privacy policy | Acceptable Use Policy
Legal information.