Basic HTTP Authentication With PHP

Basic HTTP authentication is rudimentary method of requesting a username and password, then allowing or denying access based on the credentials entered. You’ve probably seen it in action somewhere or another. If you try to subscribe to a protected RSS feed, such as the feed for your friends timeline on Twitter, for example.

It’s not the most user-friendly way to authenticate a user, but it has it’s uses. It’s great for APIs and other things where a pretty interface isn’t being delivered, where a more low-level solution is required. It’s also good for restricting access to parts of your server that most people just don’t need to be accessing.

Basic HTTP Authentication

Now how do you do that for yourself? It’s a fairly simple matter with PHP. Basically you send an HTTP/1.0 401 Unauthorized header, and a WWW-Authenticate: Basic realm="Name of Realm". This tells the client that it’s not authorized to view the page, and that it should try to become authorized.

That’s all it takes to have the little box show up and demand a username and password. Now all you have to do is check the submitted username and password against the correct ones. Simply check the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] global variables.

Here’s an example of a minimal script to request and check a username and password:

<?php

if ( !isset($_SERVER['PHP_AUTH_USER']) ) {
header('WWW-Authenticate: Basic realm="You Shall Not Pass"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
else {
if ( $_SERVER['PHP_AUTH_USER'] == 'me' && $_SERVER['PHP_AUTH_PW'] == 'password' ) {
echo "<p>Welcome, {$_SERVER['PHP_AUTH_USER']}.</p>";
} else {
echo "Wrong password, Balrog!";
}
}

?>

A quick word of caution: Whenever you store passwords, be they in a database, text file or simply hard-coded into the script, you should always encrypt them with a one-way hash. The PHP Security Consortium has an article on how to do this.

  • http://ineeddiscipline.com/2008/07/04/19-blog-review-networks/ Dean Saliba

    I've seen some blogs have this on their posts. I'm not sure why they would want to block people from reading their blogs.

  • http://intensedebate.com/people/redwall_hp redwall_hp

    I don't know either, I wouldn't. It's great for things like API authentication, protected RSS, or things like that, though. Twitter uses it, for example. Try accessing this feed link: http://twitter.com/statuses/friends_timeline/1273

  • http://intensedebate.com/people/redwall_hp redwall_hp

    I don't know either, I wouldn't. It's great for things like API authentication, protected RSS, or things like that, though. Twitter uses it, for example. Try accessing this feed link: http://twitter.com/statuses/friends_timeline/1273

  • http://scriptime.blogspot.in/ midhun

    The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version. In an Apache module PHP script, it is possible to use the header () function to send an “Authentication…http://scriptime.blogspot.in/2.....n-php.html

    • http://www.webmaster-source.com Matt

      Wow, I’ve never actually heard of somebody who is still using PHP over CGI. It’s a bit of a fringe thing. Thanks for the information, though.

      (On a related note, HTTP authentication also works fine over php-fpm, which is a growing alternative to Apache’s mod_php, especially with alternate servers like NGINX gaining traction.)

  • ankur

    This is complete game of http header manipulation via php. Got some basics from http://www.techflirt.com/http-.....cation-php