mirror of
https://github.com/sigmasternchen/php-doc-en
synced 2025-03-17 01:18:55 +00:00
7d8f4d9108
git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@96734 c90b9560-bf6c-de11-be94-00142212c4b1
192 lines
6.8 KiB
XML
192 lines
6.8 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!-- $Revision: 1.28 $ -->
|
|
<chapter id="features.http-auth">
|
|
<title>HTTP authentication with PHP</title>
|
|
|
|
<simpara>
|
|
The HTTP Authentication hooks in PHP are only available when it is
|
|
running as an Apache module and is hence not available in the CGI version.
|
|
In an Apache module PHP script, it is possible to use the
|
|
<function>header</function> function to send an "Authentication Required"
|
|
message to the client browser causing it to pop up a Username/Password
|
|
input window. Once the user has filled in a username and a password,
|
|
the URL containing the PHP script will be called again with the
|
|
<link linkend="reserved.variables">predefined variables</link>
|
|
<varname>PHP_AUTH_USER</varname>, <varname>PHP_AUTH_PW</varname>,
|
|
and <varname>PHP_AUTH_TYPE</varname> set to the user name, password and
|
|
authentication type respectively. These predefined variables are found
|
|
in the <link linkend="reserved.variables.server">$_SERVER</link> and
|
|
<varname>$HTTP_SERVER_VARS</varname> arrays. Only "Basic" authentication
|
|
is supported. See the <function>header</function> function for more
|
|
information.
|
|
</simpara>
|
|
|
|
<note>
|
|
<title>PHP Version Note</title>
|
|
<para>
|
|
<link linkend="language.variables.superglobals">Autoglobals</link>,
|
|
such as <link linkend="reserved.variables.server">$_SERVER</link>, became
|
|
available in PHP version <ulink url="&url.php.release4.1.0;">4.1.0</ulink>.
|
|
<varname>$HTTP_SERVER_VARS</varname> has been available since PHP 3.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
An example script fragment which would force client authentication
|
|
on a page is as follows:
|
|
</para>
|
|
<para>
|
|
<example>
|
|
<title>HTTP Authentication example</title>
|
|
<programlisting role="php">
|
|
<![CDATA[
|
|
<?php
|
|
if (!isset($_SERVER['PHP_AUTH_USER'])) {
|
|
header('WWW-Authenticate: Basic realm="My Realm"');
|
|
header('HTTP/1.0 401 Unauthorized');
|
|
echo 'Text to send if user hits Cancel button';
|
|
exit;
|
|
} else {
|
|
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
|
|
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
|
|
}
|
|
?>
|
|
]]>
|
|
</programlisting>
|
|
</example>
|
|
</para>
|
|
|
|
<note>
|
|
<title>Compatibility Note</title>
|
|
<para>
|
|
Please be careful when coding the HTTP header lines. In order to guarantee maximum
|
|
compatibility with all clients, the keyword "Basic" should be written with an
|
|
uppercase "B", the realm string must be enclosed in double (not single) quotes,
|
|
and exactly one space should precede the <emphasis>401</emphasis> code in the
|
|
<emphasis>HTTP/1.0 401</emphasis> header line.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
Instead of simply printing out <varname>PHP_AUTH_USER</varname>
|
|
and <varname>PHP_AUTH_PW</varname>, as done in the above example,
|
|
you may want to check the username and password for validity.
|
|
Perhaps by sending a query to a database, or by looking up the
|
|
user in a dbm file.
|
|
</para>
|
|
|
|
<para>
|
|
Watch out for buggy Internet Explorer browsers out there. They
|
|
seem very picky about the order of the headers. Sending the
|
|
<emphasis>WWW-Authenticate</emphasis> header before the
|
|
<literal>HTTP/1.0 401</literal> header seems to do the trick
|
|
for now.
|
|
</para>
|
|
|
|
<simpara>
|
|
In order to prevent someone from writing a script which reveals
|
|
the password for a page that was authenticated through a
|
|
traditional external mechanism, the PHP_AUTH variables will not be
|
|
set if external authentication is enabled for that particular
|
|
page. In this case, <varname>REMOTE_USER</varname> can be used
|
|
to identify the externally-authenticated user. So,
|
|
<varname>$_SERVER['REMOTE_USER']</varname>.
|
|
</simpara>
|
|
|
|
<note>
|
|
<title>Configuration Note</title>
|
|
<para>
|
|
PHP uses the presence of an <literal>AuthType</literal> directive
|
|
to determine whether external authentication is in effect.
|
|
Remember to avoid this directive for the context where you want to
|
|
use PHP authentication (otherwise each authentication attempt
|
|
will fail).
|
|
</para>
|
|
</note>
|
|
|
|
<simpara>
|
|
Note, however, that the above does not prevent someone who
|
|
controls a non-authenticated URL from stealing passwords from
|
|
authenticated URLs on the same server.
|
|
</simpara>
|
|
<simpara>
|
|
Both Netscape Navigator and Internet Explorer will clear the local browser
|
|
window's authentication cache for the realm upon receiving a
|
|
server response of 401. This can effectively "log out" a user,
|
|
forcing them to re-enter their username and password. Some people
|
|
use this to "time out" logins, or provide a "log-out" button.
|
|
</simpara>
|
|
<para>
|
|
<example>
|
|
<title>HTTP Authentication example forcing a new name/password</title>
|
|
<programlisting role="php">
|
|
<![CDATA[
|
|
<?php
|
|
function authenticate() {
|
|
header('WWW-Authenticate: Basic realm="Test Authentication System"');
|
|
header('HTTP/1.0 401 Unauthorized');
|
|
echo "You must enter a valid login ID and password to access this resource\n";
|
|
exit;
|
|
}
|
|
|
|
if (!isset($_SERVER['PHP_AUTH_USER']) || ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
|
|
authenticate();
|
|
}
|
|
else {
|
|
echo "<p>Welcome: {$_SERVER['PHP_AUTH_USER']}<br>";
|
|
echo "Old: {$_REQUEST['OldAuth']}";
|
|
echo "<form action='{$_SERVER['PHP_SELF']}' METHOD='POST'>\n";
|
|
echo "<input type='hidden' name='SeenBefore' value='1'>\n";
|
|
echo "<input type='hidden' name='OldAuth' value='{$_SERVER['PHP_AUTH_USER']}'>\n";
|
|
echo "<input type='submit' value='Re Authenticate'>\n";
|
|
echo "</form></p>\n";
|
|
}
|
|
?>
|
|
]]>
|
|
</programlisting>
|
|
</example>
|
|
</para>
|
|
<simpara>
|
|
This behavior is not required by the HTTP Basic authentication
|
|
standard, so you should never depend on this. Testing with Lynx
|
|
has shown that Lynx does not clear the authentication credentials
|
|
with a 401 server response, so pressing back and then forward
|
|
again will open the resource as long as the credential
|
|
requirements haven't changed. The user can press the
|
|
'_' key to clear their authentication information, however.
|
|
</simpara>
|
|
<simpara>
|
|
Also note that this does not work using Microsoft's IIS server and
|
|
the CGI version of PHP due to a limitation of IIS.
|
|
</simpara>
|
|
|
|
<note>
|
|
<para>
|
|
If <link linkend="ini.safe-mode">safe mode</link> is enabled, the
|
|
uid of the script is added to the <literal>realm</literal> part of
|
|
the <literal>WWW-Authenticate</literal> header.
|
|
</para>
|
|
</note>
|
|
|
|
</chapter>
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
Local variables:
|
|
mode: sgml
|
|
sgml-omittag:t
|
|
sgml-shorttag:t
|
|
sgml-minimize-attributes:nil
|
|
sgml-always-quote-attributes:t
|
|
sgml-indent-step:1
|
|
sgml-indent-data:t
|
|
indent-tabs-mode:nil
|
|
sgml-parent-document:nil
|
|
sgml-default-dtd-file:"../../manual.ced"
|
|
sgml-exposed-tags:nil
|
|
sgml-local-catalogs:nil
|
|
sgml-local-ecat-files:nil
|
|
End:
|
|
vim600: syn=xml fen fdm=syntax fdl=2 si
|
|
vim: et tw=78 syn=sgml
|
|
vi: ts=1 sw=1
|
|
-->
|