Categories
PHP

HTTP Authentication with Sessions

The HTTP provides two methods of authentication: basic and digest. In this tutorial, we’ll discuss only “Basic” authentication method and use this method in conjunction with PHP sessions.

To use HTTP authentication, PHP sends a header request asking to start an authentication dialog with the browser. When you visit that page, a “Sign in” dialog box requests two fields: username and password:

The browser prompts for a username and a password.

Using HTTP to Secure PHP Pages

When you send an HTTP status code 401 (unauthorized), browsers prompt the client for a username and a password. This information is then available using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].

Note: The HTTP authentication is available only if you are running PHP as a server module, not in Common Gateway Interface (CGI) mode.

<?php
 //Set your own username and password
 $username = 'Admin';
 $password = 'your-password';

 //User submitted values
 $user = $_SERVER['PHP_AUTH_USER'] ?? '';
 $pass = $_SERVER['PHP_AUTH_PW'] ?? '';
 
 //Validate username and password
 if ($user != $username || $pass != $password){
  header('WWW-Authenticate: Basic');
  header('Status: 401 Unauthorized');
  echo 'You\'ve not provided the credentials.';
  exit;
 }
 //Show secured content to logged-in user 
 echo 'You are logged-in';
  1. $_SERVER['PHP_AUTH_USER']: the username provided by the user.
  2. $_SERVER['PHP_AUTH_PW']: the password provided by the user.
  3. header('WWW-Authenticate: Basic'): Response header, defined with Basic HTTP authentication method. The other method is Digest.
  4. header('Status: 401 Unauthorized'): If a user clicked on the Cancel button, the script proceeds to the headers lines and prints the error message.

You can then check this and decide whether to send out a 401 header again or show the page’s actual contents. The preceding code shows an implementation for that.

Logging Out from HTTP Authentication

Once a user has been authenticated, he/she can not log out unless closes and reopens all browser windows, as the web browser will keep returning the same username and password to PHP.

You can pass the username and password via the URL, passing information via a URL looks like this:

http://Admin:your-password@localhost/example.php

A very simple hack that works in many browsers is to send the wrong username or password in the URL (or create a link to it), for example:
http://log:out@your-domain.com/script.php

echo '<a href="http://Guest:WrongPass@localhost/example.php">Logout Now</a>.';

HTTP Basic Authentication with Logout Link:

<?php
 //Set your own username and password
 $username = 'Admin';
 $password = 'your-password';

 //User submitted values
 $user = $_SERVER['PHP_AUTH_USER'] ?? '';
 $pass = $_SERVER['PHP_AUTH_PW'] ?? '';
 
 //Validate username and password
 if ($user != $username || $pass != $password){
  header('WWW-Authenticate: Basic');
  header('Status: 401 Unauthorized');
  echo 'You\'ve not provided the credentials.';
  exit;
 }
 //Show secured content to logged-in user 
 echo '<p>You are logged-in.
       <a href="http://Admin:wrong-password@localhost/example.php">
       Logout Now</a>.</p>';

Note: The HTTP Authentication should be avoided, because:

  1. The username and password show up clearly in the web server logs.
  2. The URL also shows up in the browser history and anyone can log in to the secure area by viewing the history.

For more information visit https://php.net/manual/features.http-auth.php.

Using PHP Sessions

You can use PHP sessions if you want HTTP authentication to take effect on the whole member area. What you need is to activate the session and set the authorized session variable:

<?php
 //Set your own username and password
 $username = 'Admin';
 $password = 'your-password';

 //User submitted values
 $user = $_SERVER['PHP_AUTH_USER'] ?? '';
 $pass = $_SERVER['PHP_AUTH_PW'] ?? '';
 
 //Validate username and password
 if ($user != $username || $pass != $password){
  header('WWW-Authenticate: Basic');
  header('Status: 401 Unauthorized');
  echo 'You\'ve not provided the credentials.';
  exit;
 }
 session_start();
 $_SESSION['authorized'] = 1;

 //Show secured content to logged-in user 
 echo '<p>You are logged-in.'; 

The following code must be included (with require_once) in all pages that are only accessible to authorized users:

<?php
 session_start();
 if ( ! isset($_SESSION['authorized']) ) {
  $current_url = urlencode( $_SERVER['PHP_SELF'] );
  header("Location: login.php?redirect=$current_url");
 }

For detail visit Creating a Secured Member Area using Sessions.


Cookies and Sessions: