The HTTP Authentication hooks in PHP are only available when it is
running as an Apache module. In an Apache module PHP script, it
is possible to use the Header() function to
send an "Authentication Required" message to the client browser
causing it to pop up a Username/Password input window. Once the
user has filled in a username and a password, the URL containing
the PHP script will be called again with the variables,
$PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE set to the user
name, password and authentication type respectively. Only "Basic"
authentication is supported at this point.
An example script fragment which would force client authentication
on a page would be the following:
Example 2-1. HTTP Authentication example <?php
if(!isset($PHP_AUTH_USER)) {
Header("WWW-Authenticate: Basic realm=\"My Realm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "Text to send if user hits Cancel button\n";
exit;
} else {
echo "Hello $PHP_AUTH_USER.<P>";
echo "You entered $PHP_AUTH_PW as your password.<P>";
}
?>
|
Instead of simply printing out the $PHP_AUTH_USER and
$PHP_AUTH_PW, you would probably want to check the username and
password for validity. Perhaps by sending a query to a database,
or by looking up the user in a dbm file.
Watch out for buggy Internet Explorer browsers out there. They
seem very picky about the order of the headers. Sending the
WWW-Authenticate header before the
HTTP/1.0 401 header seems to do the trick
for now.
In order to prevent someone from writing a script which reveals
the password for a page that was authenticated through a
traditional external mechanism, the PHP_AUTH variables will not be
set if external authentication is enabled for that particular
page. In this case, the $REMOTE_USER variable can be used to
identify the externally-authenticated user.
Note, however, that the above does not prevent someone who
controls a non-authenticated URL from stealing passwords from
authenticated URLs on the same server.
Both Netscape and Internet Explorer will clear the local browser
window's authentication cache for the realm upon receiving a
server response of 401. This can effectively "log out" a user,
forcing them to re-enter their username and password. Some people
use this to "time out" logins, or provide a "log-out" button.
This behavior is not required by the HTTP Basic authentication
standard, so you should never depend on this. Testing with Lynx
has shown that Lynx does not clear the authentication credentials
with a 401 server response, so pressing back and then forward
again will open the resource (as long as the credential
requirements haven't changed).
Also note that this does not work using Microsoft's IIS server and
the CGI version of PHP due to a limitation of IIS.
|
