HTTP Authentication

HTTP authentication uses the web server to manage users and passwords for the application. It’s adequate for most applications that ask users to log in, although some applications have specialized needs or more stringent security requirements that call for other techniques.

To use HTTP authentication, PHP sends a header request asking to start an authentication dialog with the browser. The server must have this feature turned on in order for it to work, but because it’s so common, your server is very likely to offer the feature.

Although it is usually installed with Apache, HTTP authentication may not necessarily be installed on the server you use. So attempting to run these examples may generate an error telling you that the feature is not enabled, in which case you must install the module, change the configuration file to load the module, or ask your system administrator to do these fixes.

From the user’s point of view, when they enter your URL into the browser or visit via a link, an “Authentication Required” prompt pops up requesting two fields: username and password as :

Example

<?php
if (isset ( $_SERVER ['PHP_AUTH_USER'] ) && isset ( $_SERVER ['PHP_AUTH_PW'] ))
{
	echo "Welcome User: " . $_SERVER ['PHP_AUTH_USER'] . " Password: " . $_SERVER ['PHP_AUTH_PW'];
}
else
{
	header ( 'WWW-Authenticate: Basic realm="Restricted Section"' );
	header ( 'HTTP/1.0 401 Unauthorized' );
	die ( "Please enter your username and password" );
}
?>

Output prompt

httpAuth

The first thing the program does is look for two particular values: $_SERVER[‘PHP_AUTH_USER’] and $_SERVER[‘PHP_AUTH_PW’]. If they both exist, they represent the username and password entered by a user into an authentication prompt.

If the user fills out the fields, the PHP program runs again from the top, the message will be displayed as:
Welcome User: abc Password: abc
But if the user clicks on the Cancel button, the program proceeds to the following two lines. The die statement causes the text “Please enter your username and password” to be displayed.
Now let’s check for a valid username and password. The code in previous example doesn’t require much change to add this check, other than modifying the previous welcome message code into a test for a correct username and password, followed by issuing a welcome message. A failed authentication causes an error message to be sent.

Example

<?php
$username = 'admin';
$password = 'letmein';
if (isset ( $_SERVER ['PHP_AUTH_USER'] ) &&
	isset ( $_SERVER ['PHP_AUTH_PW'] ))
{
		if ($_SERVER ['PHP_AUTH_USER'] == $username && $_SERVER ['PHP_AUTH_PW'] == $password)
				echo "You are now logged in";

		else
			die ( "Invalid username / password combination" );
}
else
{
	header ( 'WWW-Authenticate: Basic realm="Restricted Section"' );
	header ( 'HTTP/1.0 401 Unauthorized' );
	die ( "Please enter your username and password" );
}
?>

Incidentally, take a look at the wording of the error message: “Invalid username / password combination.” It doesn’t say whether the username or the password or both were wrong—the less information you can give to a potential hacker, the better. A mechanism is now in place to authenticate users, but only for a single username and password. Also, the password appears in clear text within the PHP file, and if someone managed to hack into your server, they would instantly know it.