PHP’s HTTP authentication mechanism only works when PHP is running as an Apache module, so this feature does not apply to the CGI version. In the PHP script of the Apache module, you can use the header() function to send "Authentication Required" information to the client browser, causing it to pop up a username/password input window. When the user enters the username and password, the PHP script containing the URL will add the predefined variables PHP_AUTH_USER, PHP_AUTH_PW and AUTH_TYPE and be called again. These three variables are set to the username, password and authentication type respectively. Predefined variables are stored in the $_SERVER or $HTTP_SERVER_VARS array. Supports "Basic" and "Digest" (since PHP 5.1.0) authentication methods. See the header() function for more information.
PHP version issue: Autoglobals global variables, including $_SERVER, etc., are valid since PHP 4.1.0, $HTTP_SERVER_VARS is valid since PHP 3.
The following is an example script to force client authentication on the page:
Example 34-1. Basic HTTP authentication example
if (!isset( $_SERVER [ 'PHP_AUTH_USER' ])) {
header ( 'WWW-Authenticate: Basic realm="My Realm"' );
header ( 'HTTP/1.0 401 Unauthorized' );
echo 'Text to send if user hits Cancel button' ;
exit;
} else {
echo "Hello { $_SERVER [ 'PHP_AUTH_USER' ]} . echo "
You entered { $_SERVER [ 'PHP_AUTH_PW' ]} as your password.
" ;
}
?>
Example 34-2. Digest HTTP authentication exampleThis example demonstrates how to implement a simple Digest HTTP authentication script. Please refer to RFC 2617 for more information.
$realm = 'Restricted area' ;
//user => password
$users = array( 'admin' => 'mypass ' , 'guest' => 'guest' );
if (!isset( $_SERVER [ 'PHP_AUTH_DIGEST' ])) {
header ( 'HTTP/1.1 401 Unauthorized' ) ;
header ( 'WWW-Authenticate: Digest realm="' . $realm .
'" qop="auth" nonce="' . uniqid (). '" opaque="' . md5 ( $realm ). '"' );die( 'Text to send if user hits Cancel button' );
}// analize the PHP_AUTH_DIGEST variable
preg_match ( '/ username="(?P.*)",s*realm="(?P .*)",s*nonce="(?P .*)",s*uri= "(?P .*)",s*response="(?P .*)",s*opaque="(?P .*)",s*qop=(? P .*),s*nc=(?P .*),s*cnonce="(?P .*)"/' , $_SERVER [ 'PHP_AUTH_DIGEST' ], $digest ); if (!isset( $users [ $digest [ 'username' ]]))
die( 'Username not valid!' );
// generate the valid response
$A1 = md5 ( $digest [ 'username' ] . ':' . $realm . ':' . $users [ $digest [ 'username' ]]);
$A2 = md5 ( $_SERVER [ 'REQUEST_METHOD' ]. ':' . $digest [ 'uri' ]);
$valid_response = md5 ( $A1 . ':' . $digest [ 'nonce' ]. ':' . $digest [ 'nc' ]. ':' . $digest [ 'cnonce' ]. ':' . $digest [ 'qop' ]. ':' . $A2 );if ( $digest [ 'response' ] != $valid_response )
die( 'Wrong Credentials!' );// ok, valid username & password
echo 'Your are logged in as: ' . $ digest [ 'username' ];?>
Compatibility issues: Please take extra care when writing HTTP header code careful. To ensure compatibility with all clients, the first letter of the keyword "Basic" must be capitalized "B", the delimiting string must be quoted in double quotes (not single quotes); and in the header line HTTP/1.0 401 , there must be exactly one space before 401.
In the above example, only the values of PHP_AUTH_USER and PHP_AUTH_PW are printed, but in actual application, it may be necessary to check the legitimacy of the user name and password. Perhaps perform a database tutorial query, or retrieve from a dbm file.
Note that some Internet Explorer browsers have their own issues. It seems a bit fussy about the order of headers. It currently appears that sending the WWW-Authenticate header before sending the HTTP/1.0 401 may resolve this issue.
As of PHP 4.3.0, in order to prevent someone from writing a script to obtain the password from a page authenticated with traditional external mechanisms, when external authentication is valid for a specific page and security mode is turned on, the PHP_AUTH variable will will not be set. However, REMOTE_USER can be used to identify externally authenticated users, so the $_SERVER['REMOTE_USER'] variable can be used.
Configuration instructions: PHP uses the AuthType directive to determine whether the external authentication mechanism is valid.
Note that this still does not prevent someone from stealing passwords via an unauthenticated URL from an authenticated URL on the same server.
Both Netscape Navigator and Internet Explorer browsers will clear the Windows authentication cache of all local browsers in the entire domain when receiving a 401 server return message. This can effectively log out a user and force them to re-enter their username and password. Some people use this method to "expire" login status, or as a responsive behavior for a "logout" button.
Example 34-3. Example of HTTP authentication that forces re-entering username and password
function authenticate () {
header ( 'WWW -Authenticate: Basic realm="Test Authentication System"' );
header ( 'HTTP/1.0 401 Unauthorized' );
echo "You must enter a valid login ID and password to access this resourcen" ;
exit;
}if (!isset( $_SERVER [ 'PHP_AUTH_USER' ]) ||
( $_POST [ 'SeenBefore' ] == 1 && $_POST [ 'OldAuth' ] == $_SERVER [ 'PHP_AUTH_USER' ])) {
authenticate ();
}
else {
echo "Welcome: { $_SERVER [ 'PHP_AUTH_USER' ]} < br />" ;
n" ;
echo "Old: { $_REQUEST [ 'OldAuth' ]} " ;
echo "
}
It is not required and therefore cannot be relied upon. Testing of the Lynx browser shows that Lynx will not clear the authentication file when receiving the 401 server return information. Therefore, as long as the inspection requirements for the authentication file do not change, as long as the user clicks the "Back" button and then clicks the "Forward" button, Its original resources can still be accessed. However, users can clear their authentication information by pressing the "_" key
In the following example, we use the two variables $PHP_AUTH_USER and $PHP_AUTH_PW to verify whether the entrant is legal and allow entry . In this example, the user name and password pairs allowed to log in are tnc and nature respectively:
if(!isset($PHP_AUTH_USER)) { Header("WWW-Authenticate: Basic realm="My Realm""); Header("HTTP/1.0 401 Unauthorized"); echo "Text to send if user hits Cancel buttonn"; $PHP_AUTH_USER=="tnc" && $PHP_AUTH_PW=="nature") ) { // If it is a wrong username/password pair, force re-authentication Header("WWW-Authenticate: Basic realm="My Realm""); Header("HTTP/1.0 401 Unauthorized"); echo "ERROR : $PHP_AUTH_USER/$PHP_AUTH_PW is invalid."; exit; } else { echo "Welcome tnc!";} ?>
In fact, in actual references, it is unlikely to use the obvious user name/password pair in the code snippet above, but to use a database or encryption password file to access them.
6.3 Verify user identity based on specified verification information
First, we can use the following code to determine whether the user has entered the username and password, and display the information entered by the user.
if (!isset($PHP_AUTH_USER)) { header('WWW-Authenticate: Basic realm="My Private Stuff" ');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
