NYCPHP Meetup

NYPHP.org

[nycphp-talk] NEW PHundamentals Question - HTTP Authentication

csnyder chsnyder at gmail.com
Fri Oct 22 19:47:34 EDT 2004


While it's true that auth over SSL is the ideal situation, for sites
on a virtual host I find HTTP Digest Authentication to be an
acceptable compromise, and not really any harder to set up in an
.htaccess context.

But I think this is a PHundamental because of PHP's built-in support
for requesting a username and password via Basic Authentication. The
idea is that you put:

   header( 'WWW-Authenticate: basic realm="Members Only" ' );
   header( 'HTTP/1.0 401 Unauthorized' );

At the top of your script, which causes the browser to cough up one of
those little username/password dialogs. On submit, the request comes
back to your script with $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW'], as documented in the manual here:
http://www.php.net/manual/en/features.http-auth.php

So now you can look those up in a MySQL table or something (or DBM if
you like) and allow access or not.

I've always thought it was a silly feature -- why not just code a
login form? But I can see the utility for intranet applications, where
you don't need it to be pretty and you don't need all the "Forgot your
password?" and "Register here" stuff.



More information about the talk mailing list