Basic HTTP Authentication Using PHP
By: Dabu
Before we start there are a few things you must know. For one, The HTTP Authentication in PHP are only available when it is running as an Apache module. If you are not using the PHP as an Apache module this tutorial will not work for you!
Using the header() function, it is possible to send an "Authentication Required" message the clients browser and request them to input a username and password similar to as if you did it in .htaccess.
Let's get started with the first part of our code:
<?
if (!isset($_SERVER['PHP_AUTH_USER'])) {
} else {
}
?>
This is your standard if statement that checks to see if the predefined server variable, PHP_AUTH_USER, has been set. Next we will send the header statement:
<?
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Site"');
header('HTTP/1.0 401 Unauthorized');
} else {
}
?>
The first header statement is telling the browser that this page requires authentication. Change My Site to the name that you wish to be displayed on the username/password form. You can also add an echo statement to display a message if they hit the cancel button. We will also add the exit; function to tell the browser to stop loading the page once this function is run.
<?
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Site"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit();
} else {
}
?>
Now that we have our code to stop the user from accessing the page, what happens after the client inserts a username and password? We will have to add this in the other portion of the if statement. You can use $_SERVER['PHP_AUTH_USER']; AND $_SERVER['PHP_AUTH_PW']; to get the inputted username and password.
<?
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="Site"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit();
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
Although this does not check to see if the username/password is correct it will display the username/password that they inserted. You can use another simple if statement and the and operator (&&) to check if the username/password is correct. If you would like an example of this please read bellow.
<?
$username = "Testing";
$password = "password";
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Site"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit();
} else {
if (($_SERVER['PHP_AUTH_USER'] == $username) && ($_SERVER['PHP_AUTH_PW'] == $password)) {
echo "The username and password you have entered are correct!";
} else {
echo "The username and/or password you have entered is incorrect!";
exit();
}
}
?>
This will check to see if the inputted data is equal to the username and password defined in the variables username and password. You may use this script any way you wish but by doing so you agree to Dabu4u's Terms of Service.
I spellchecked this but if there are any typo's feel free to fix it mods or point it out to me and I will fix it.
Full Version: [PHP] - [Basic HTTP Authentication] - [Dabu]
great tutorial 
Very useful, I enjoyed reading this tutorial.
Is there a way to figure out how to 'logout' in HTTP Authentication? I was looking around and found the same code at like PHP Freaks and tutorialized.com, which I think comes from the PHP Manual, but thats not important the fact is I can't find anywhere that allows any kind of 'logout' in HTTP Authentication.
For example: I tried this code in an example for my admin section on my website.. and I just wanted something simple for now.. I'll go for something a little more secure soon, but I was wondering how to 'logout' because I signed in and then I was trying to see if all the echos worked in PHP, so I tried to go back, and I clicked back on my web browser (firefox) and it just stayed the same. Then I tried to refresh that didn't work so, I eventually somehow figured it out, but I don't know how I did it.
So, I guess my point is, when you just close the browser is that it or is it continuously open once you login?
For example: I tried this code in an example for my admin section on my website.. and I just wanted something simple for now.. I'll go for something a little more secure soon, but I was wondering how to 'logout' because I signed in and then I was trying to see if all the echos worked in PHP, so I tried to go back, and I clicked back on my web browser (firefox) and it just stayed the same. Then I tried to refresh that didn't work so, I eventually somehow figured it out, but I don't know how I did it.
So, I guess my point is, when you just close the browser is that it or is it continuously open once you login?
I dont know anything about php, but flipping through my book and looking up http authentication I found that you can create a log-out system on some browsers by making a page that sends the browser this code:
Which according to the book will empty the browsers cache of the previous http username and password.
CODE
header('HTTP/1.0 401 Unauthorized');
Which according to the book will empty the browsers cache of the previous http username and password.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.