array ( 0 => 'index.php', 1 => 'PHP Manual', ), 'head' => array ( 0 => 'UTF-8', 1 => 'en', ), 'this' => array ( 0 => 'features.http-auth.php', 1 => 'HTTP authentication with PHP', 2 => 'HTTP authentication with PHP', ), 'up' => array ( 0 => 'features.php', 1 => 'Features', ), 'prev' => array ( 0 => 'features.php', 1 => 'Features', ), 'next' => array ( 0 => 'features.cookies.php', 1 => 'Cookies', ), 'alternatives' => array ( ), 'source' => array ( 'lang' => 'en', 'path' => 'features/http-auth.xml', ), 'history' => array ( ), ); $setup["toc"] = $TOC; $setup["toc_deprecated"] = $TOC_DEPRECATED; $setup["parents"] = $PARENTS; manual_setup($setup); contributors($setup); ?>

HTTP authentication with PHP

It is possible to use the header() function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER array. Only the "Basic" authentication method is supported. See the header() function for more information.

An example script fragment which would force client authentication on a page is as follows:

Example #1 Basic HTTP Authentication example

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Basic realm="My Realm"');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

Note: Compatibility

Please be careful when coding the HTTP header lines. In order to guarantee maximum compatibility with all clients, the keyword "Basic" should be written with an uppercase "B", the realm string must be enclosed in double (not single) quotes, and exactly one space should precede the 401 code in the HTTP/1.1 401 header line. Authentication parameters have to be comma-separated.

Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file.

Note: Apache Configuration

PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.

Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server.

Note: Browser behavior
HTTP Basic authentication really is basic, and it wasn't designed to support logouts. Because HTTP is a stateless protocol, most browsers will cache the provided credentials as soon as a 2xx status code is seen, and will send them in every request, until the browser is closed. There is no defined way for a server to request a new prompt for credentials. Over the years, various workarounds for this have spread as advice on the internet, but they all depend on how different browsers have chosen to handle undefined edge cases (or even violations of the HTTP standard). It is best to avoid such workarounds and not use Basic authentication for anything serious.

Note: IIS Configuration
In order to get HTTP Authentication to work on IIS server with the CGI version of PHP, the php.ini directive cgi.rfc2616_headers must be set to 0 (the default value), and you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.