Use PHP to simulate HTTP authentication_PHP tutorial

If you wish to implement password protection on a per-script basis, you can create a basic authentication mechanism by combining the header() function with the $PHP_AUTH_USER and $PHP_AUTH_PW global variables. The usual server-based authentication request/response process is as follows:

1. The user requests a file from a Web server. If the file is within a protected area, the server responds by adding a 401 (Illegal User) string to the header of the response data.

2. The browser pops up the username/password dialog box after seeing the response.

3. The user enters the username and password in the dialog box, and then clicks "OK" to send this information back to the server for authentication.

4. If the username and password are valid, the protected files will be displayed to the user. This confirmation will remain valid for as long as the verified user is within the protected area.

A simple PHP script can simulate the HTTP authentication request/response system by sending the appropriate HTTP headers to automatically display the username/password dialog on the client screen. PHP stores user input dialog information in the $PHP_AUTH_USER and $PHP_AUTH_PW variables. By using these variables, you can store the list of non-compliant username/password checks in a text file, database, or wherever you wish.

Note: The $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE global variables are only valid when PHP is installed as a module. If you are using the CGI version of PHP, you will be limited to using htaccess-based authentication or database-based authentication, and letting users enter their username and password through an HTML form, and then letting PHP complete the validity check.

This example shows a validation check for two hardware-encoded values, which are theoretically identical regardless of where the username and password are stored.

/* Check the values ​​of variables $PHP_AUTH_USER and $PHP_AUTH_PW*/

if ((!isset($PHP_AUTH_USER)) || (!isset( $PHP_AUTH_PW))) {

/* Null value: Send the data header to generate the display text box*/

header('WWW-Authenticate: Basic realm="My Private Stuff"' );

header('HTTP/1.0 401 Unauthorized');

echo 'Authorization Required.';

exit;

} else if ( (isset($PHP_AUTH_USER)) && (isset($PHP_AUTH_PW))){

/* The variable value exists, check whether it is correct*/

if (($PHP_AUTH_USER != "validname ") || ($PHP_AUTH_PW != "goodpassword")) {

/* If the user name is entered incorrectly or the password is entered incorrectly, the data header that generates the text box will be sent */

header ('WWW-Authenticate: Basic realm="My Private Stuff"');

header('HTTP/1.0 401 Unauthorized');

echo 'Authorization Required.';

exit;

} else if (($PHP_AUTH_USER == "validname") || ($PHP_AUTH_PW == "goodpassword")) {

/* Both username and password Correct, output success message*/

echo "

You're authorized!

";

}

}

?>

It must be reminded that when you are using file-based protection, this method does not provide comprehensive security for the directory. . This may be obvious to most people, but if your brain makes a connection between popping up a dialog box and protecting a given directory, you should think about it further. .

Julie Meloni is the technical director of i2i Interactive and a strong promoter of the Linux and open source communities. She has written numerous books on PHP and other technologies, and is a long-time contributing expert to CNET Builder.com.

http://www.bkjia.com/PHPjc/314485.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/314485.htmlTechArticleIf you want to implement password protection on a per-script basis, you can combine it with the header() function and $PHP_AUTH_USER, $PHP_AUTH_PW global variables to create a basic...