Dedicated servers
& web hosting directory
   
Quick Hosting Links

UK2.Net, 1&1 Internet, Apollohosting.com, Lunarpages.com, GalaxyVisions.com, Razorservers, WhosBehindYourWebsite, BeeWhois.com,
 
Good and Honest Host of the month, September 2008, WSServers.com
Advance Search   Dedicated Servers   Company Name   HostMatch
Thank you for visiting this site. If you are looking for web hosting services, you have come to the right place. Please search my database of over 2400 hosting companies.

If you need any help, please email me at terence @ hostpulse.com . I will personally try to reply your email within a day and give you some basic guidelines, negotiate with a few hosts to offer you good pricing or answer any hosting related problems that you may have. 
Cheap Web Hosting ASP & ASP.Net Hosting

Dedicated Server
Windows Server Hosting Ecommerce Hosting PHP Hosting
Linux & Unix Hosting Cold Fusion Hosting South America
Europe Reseller Hosting Managed Hosting
Virtual Private Server Asia Pacific Search by Country

Reference and Manual


Hosting Glossary  PHP  HTML 4.01  CSS 2.0  Core Javascript 1.5  XHTML 1.0

HTTP authentication with PHP

PHP Manual
PrevNext

Chapter 31. HTTP authentication with PHP

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version. In an Apache module PHP script, it is possible to use the header() function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER and $HTTP_SERVER_VARS arrays. Only "Basic" authentication is supported. See the header() function for more information.

PHP Version Note: Autoglobals, such as $_SERVER, became available in PHP 4.1.0. $HTTP_SERVER_VARS has been available since PHP 3.

An example script fragment which would force client authentication on a page is as follows:

Example 31-1. HTTP Authentication example

<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>

Compatibility Note: Please be careful when coding the HTTP header lines. In order to guarantee maximum compatibility with all clients, the keyword "Basic" should be written with an uppercase "B", the realm string must be enclosed in double (not single) quotes, and exactly one space should precede the 401 code in the HTTP/1.0 401 header line.

Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file.

Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW-Authenticate header before the HTTP/1.0 401 header seems to do the trick for now.

As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.

Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server.

Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button.

Example 31-2. HTTP Authentication example forcing a new name/password

<?php
  function authenticate() {
    header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');
    echo "You must enter a valid login ID and password to access this resource\n";
    exit;
  }

  if (!isset($_SERVER['PHP_AUTH_USER']) ||
      ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
   authenticate();
  }
  else {
   echo "<p>Welcome: {$_SERVER['PHP_AUTH_USER']}<br />";
   echo "Old: {$_REQUEST['OldAuth']}";
   echo "<form action='{$_SERVER['PHP_SELF']}' METHOD='post'>\n";
   echo "<input type='hidden' name='SeenBefore' value='1' />\n";
   echo "<input type='hidden' name='OldAuth' value='{$_SERVER['PHP_AUTH_USER']}' />\n";
   echo "<input type='submit' value='Re Authenticate' />\n";
   echo "</form></p>\n";
  }
?>

This behavior is not required by the HTTP Basic authentication standard, so you should never depend on this. Testing with Lynx has shown that Lynx does not clear the authentication credentials with a 401 server response, so pressing back and then forward again will open the resource as long as the credential requirements haven't changed. The user can press the '_' key to clear their authentication information, however.

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.

Another limitation is if you're using the IIS module (ISAPI), you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).

Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header.

PrevHomeNext
FeaturesUpCookies

Web Hosting Showcase
 View the web hosting showcase to find more relevant web hosting choice that will guide you in selecting a good web hosting company.
 
Cheap Web Hosting ASP & ASP.Net Hosting Dedicated Servers
Windows 2000 & 2003 Server Hosting Ecommerce Hosting PHP Hosting
Linux & Unix Hosting Cold Fusion Hosting South America
Europe Reseller Hosting Managed Hosting
Virtual Private Server Asia Pacific  

Web Hosting and Development Tools

Network Tools  Download Template  Programming Manuals  Developer Tools

  

HostForWeb  HostForWeb.com
20GB Transfer, Unlimited Subdomans & E-mails, Smaller package 200MB - $9.95
ApolloHosting - Fast & Reliable Web Site Hosting  Apollo Hosting
Cnet User Recommended - Cnet Certified
HostwayVPS  Hostway Corporation
Dedicated server performance, at a fraction of normal dedicated server prices
Looking for dedicated servers in the U.K. ?  Xilo
XILO can provide dedicated servers with serveral different configurations.
SingleHop  SingleHopSingleHop
Intel Pentium D 945 with 1GB Ram, 320Gb hard disk & 2500Gb bandwidth at US$159 per month










Hosts we like
HostMonster.com
Ipowerweb
ApolloHosting
WSServers
ActiveHost
AllReseller.com
Cravis
Dinsol
Galaxyvisions.com
Grabweb.net
HostColor.com
Whosbehindyourwebsite
Inetu.net
Lunarpages.com
Olm.net
Razorservers
ServerDispatch
Server4you.com
ServerIntellect
Shinjiru.com
Singlehop.com



Net Host Tools

Feature Host




Partner Sites
Free Webmaster
Directory
Managed Web Hosting
Web Design Helper
UK Web Hosting
Cheap Web Hosting Providers
Hosting Helper
Web Page Hosting
Reseller Hosting News
Web Hosting
ID Card Printers
Children's Insurance
Free Computer Recycling
ID Printer



This site provide free reviews of web hosting services from 100 selected companies. There are over 3000 over website hosting companies on the internet. Please research these domain hosting services carefully before you sign up with any. Read articles on web page hosting, web site hosting, domain names, website speed test, cheap web hosting services, PHP scripts, mysql database, asp hosting and virtual private server to gain a better knowledge on domain hosting and cheap web hosting.

 

Partners
Free Web Hosting Directory  All The Websites Promotion  Webmaster Forums  Web Hosting Services  Review Web Design Dedicated Servers Web Hosting windows reseller hosting linux Cheap Web Hosting & Website Design Dedicated Server Hosting



Learn more about us
About HostPulse Contact Us Terms of Use

©2000 - 2008 Webtrent Technology Pte Ltd
All rights reserved.

This site is hosted by ActiveHost. The company understands uptime urgency and is fanatical about hosting reliability.

A list of good and honest hosting companies.
Questions? Comments? Get started
Affordable Advertising | Host Login & Register
Submission
 Submit a news | Submit a resource
Exchange links? Email Anna @ hostpulse.com
Web Hosting and Development Tools
Network Tools  Download Template  Programming Manuals   Search by Country   Links to other sites