To use HTTP authentication, PHP sends a header request asking to start an authentication dialog with the browser. When you visit that page, a “Sign in” dialog box requests two fields: username and password:
Using HTTP to Secure PHP Pages
When you send an HTTP status code 401
(unauthorized), browsers prompt the client for a username and a password. This information is then available using $_SERVER['PHP_AUTH_USER']
and $_SERVER['PHP_AUTH_PW']
.
Note: The HTTP authentication is available only if you are running PHP as a server module, not in Common Gateway Interface (CGI) mode.
<?php //Set your own username and password $username = 'Admin'; $password = 'your-password'; //User submitted values $user = $_SERVER['PHP_AUTH_USER'] ?? ''; $pass = $_SERVER['PHP_AUTH_PW'] ?? ''; //Validate username and password if ($user != $username || $pass != $password){ header('WWW-Authenticate: Basic'); header('Status: 401 Unauthorized'); echo 'You\'ve not provided the credentials.'; exit; } //Show secured content to logged-in user echo 'You are logged-in';
$_SERVER['PHP_AUTH_USER']
: the username provided by the user.$_SERVER['PHP_AUTH_PW']
: the password provided by the user.header('WWW-Authenticate: Basic')
: Response header, defined withBasic
HTTP authentication method. The other method isDigest
.header('Status: 401 Unauthorized')
: If a user clicked on the Cancel button, the script proceeds to the headers lines and prints the error message.
You can then check this and decide whether to send out a 401
header again or show the page’s actual contents. The preceding code shows an implementation for that.
Logging Out from HTTP Authentication
Once a user has been authenticated, he/she can not log out unless closes and reopens all browser windows, as the web browser will keep returning the same username and password to PHP.
You can pass the username and password via the URL, passing information via a URL looks like this:
http://Admin:your-password@localhost/example.php
A very simple hack that works in many browsers is to send the wrong username or password in the URL (or create a link to it), for example:
http://log:out@your-domain.com/script.php
echo '<a href="http://Guest:WrongPass@localhost/example.php">Logout Now</a>.';
HTTP Basic Authentication with Logout Link:
<?php //Set your own username and password $username = 'Admin'; $password = 'your-password'; //User submitted values $user = $_SERVER['PHP_AUTH_USER'] ?? ''; $pass = $_SERVER['PHP_AUTH_PW'] ?? ''; //Validate username and password if ($user != $username || $pass != $password){ header('WWW-Authenticate: Basic'); header('Status: 401 Unauthorized'); echo 'You\'ve not provided the credentials.'; exit; } //Show secured content to logged-in user echo '<p>You are logged-in. <a href="http://Admin:wrong-password@localhost/example.php"> Logout Now</a>.</p>';
Note: The HTTP Authentication should be avoided, because:
- The username and password show up clearly in the web server logs.
- The URL also shows up in the browser history and anyone can log in to the secure area by viewing the history.
For more information visit https://php.net/manual/features.http-auth.php.
Using PHP Sessions
You can use PHP sessions if you want HTTP authentication to take effect on the whole member area. What you need is to activate the session and set the authorized session variable:
<?php //Set your own username and password $username = 'Admin'; $password = 'your-password'; //User submitted values $user = $_SERVER['PHP_AUTH_USER'] ?? ''; $pass = $_SERVER['PHP_AUTH_PW'] ?? ''; //Validate username and password if ($user != $username || $pass != $password){ header('WWW-Authenticate: Basic'); header('Status: 401 Unauthorized'); echo 'You\'ve not provided the credentials.'; exit; } session_start(); $_SESSION['authorized'] = 1; //Show secured content to logged-in user echo '<p>You are logged-in.';
The following code must be included (with require_once
) in all pages that are only accessible to authorized users:
<?php session_start(); if ( ! isset($_SESSION['authorized']) ) { $current_url = urlencode( $_SERVER['PHP_SELF'] ); header("Location: login.php?redirect=$current_url"); }
For detail visit Creating a Secured Member Area using Sessions.
Cookies and Sessions: