HTTP authentication with PHP
HTTP authentication with PHP
Article by ahsan hashmi
The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version. In an Apache module PHP script, it is possible to use the header() function to send an “Authentication Required” message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $ _SERVER and $ HTTP_SERVER_VARS arrays. Both “Basic” and “Digest” (since PHP 5.1.0) authentication methods are supported. See the header() function for more information.
PHP Version Note: Autoglobals, such as $ _SERVER, became available in PHP 4.1.0. $ HTTP_SERVER_VARS has been available since PHP 3.
An example script fragment which would force client authentication on a page is as follows:
????? 34-1. Basic HTTP Authentication example
<?php if (!isset($ _SERVER['PHP_AUTH_USER'])) { header(‘WWW-Authenticate: Basic realm=”My Realm”‘); header(‘HTTP/1.0 401 Unauthorized’); echo ‘Text to send if user hits Cancel button’; exit; } else { echo “
Hello {$ _SERVER['PHP_AUTH_USER']}.
“; echo “
You entered {$ _SERVER['PHP_AUTH_PW']} as your password.
“; }?>
????? 34-2. Digest HTTP Authentication example
This example shows you how to implement a simple Digest HTTP authentication script. For more information read the RFC 2617.
<?php$ realm = ‘Restricted area’;
//user => password$ users = array(‘admin’ => ‘mypass’, ‘guest’ => ‘guest’);
if (empty($ _SERVER['PHP_AUTH_DIGEST'])) { header(‘HTTP/1.1 401 Unauthorized’); header(‘WWW-Authenticate: Digest realm=”‘.$ realm. ‘” qop=”auth” nonce=”‘.uniqid().’” opaque=”‘.md5($ realm).’”‘);
die(‘Text to send if user hits Cancel button’);}
// analyze the PHP_AUTH_DIGEST variableif (!($ data = http_digest_parse($ _SERVER['PHP_AUTH_DIGEST'])) ||!isset($ users[$ data['username']])) die(‘Wrong Credentials!’);
// generate the valid response$ A1 = md5($ data['username']. ‘:’. $ realm. ‘:’. $ users[$ data['username']]);$ A2 = md5($ _SERVER['REQUEST_METHOD'].’:’.$ data['uri']);$ valid_response = md5($ A1.’:’.$ data['nonce'].’:’.$ data['nc'].’:’.$ data['cnonce'].’:’.$ data['qop'].’:’.$ A2);
if ($ data['response']!= $ valid_response) die(‘Wrong Credentials!’);
// ok, valid username & passwordecho ‘Your are logged in as: ‘. $ data['username'];
// function to parse the http auth headerfunction http_digest_parse($ txt){ // protect against missing data $ needed_parts = array(‘nonce’=>1, ‘nc’=>1, ‘cnonce’=>1, ‘qop’=>1, ‘username’=>1, ‘uri’=>1, ‘response’=>1); $ data = array();
preg_match_all(‘@(\w+)=([\'"]?)([a-zA-Z0-9=./\_-]+)@’, $ txt, $ matches, PREG_SET_ORDER);
foreach ($ matches as $ m) { $ data[$ m[1]] = $ m[3]; unset($ needed_parts[$ m[1]]); }
return $ needed_parts ? false : $ data;}?>
Compatibility Note: Please be careful when coding the HTTP header lines. In order to guarantee maximum compatibility with all clients, the keyword “Basic” should be written with an uppercase “B”, the realm string must be enclosed in double (not single) quotes, and exactly one space should precede the 401 code in the HTTP/1.0 401 header line.
Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file.
Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW-Authenticate header before the HTTP/1.0 401 header seems to do the trick for now.
As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $ _SERVER['REMOTE_USER'].
About the Author
my name ahsan from pakistan. i am php expert.
