• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1401
  • Last Modified:

HTTP [basic] Auth via PHP

How can I login to $x and check to see if the user/pass is correct using HTTP [basic] Auth? (The one where the login window pops up)
0
mnb93
Asked:
mnb93
  • 5
  • 3
1 Solution
 
Richard QuadlingSenior Software DeverloperCommented:
Hi mnb93,

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version. In an Apache module PHP script, it is possible to use the header() function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER and $HTTP_SERVER_VARS arrays. Both "Basic" and "Digest" (since PHP 5.1.0) authentication methods are supported. See the header() function for more information.



<?php
 if (!isset($_SERVER['PHP_AUTH_USER'])) {
   header('WWW-Authenticate: Basic realm="My Realm"');
   header('HTTP/1.0 401 Unauthorized');
   echo 'Text to send if user hits Cancel button';
   exit;
 } else {
   echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
   echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
 }
?>


Regards,

Richard Quadling.
0
 
mnb93Author Commented:
I would like to use PHP to log into $x...
0
 
Richard QuadlingSenior Software DeverloperCommented:
Are you saying you want to use PHP as a client to a web site which has a basic auth login form?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
mnb93Author Commented:
yes
0
 
Richard QuadlingSenior Software DeverloperCommented:
You could cheat as basic auth is ...

http://user:password@www.site.com/page.html

I think.

Pretty sure actually.
0
 
TeRReFCommented:
Never knew that, neat... not very secure, but neat :)
0
 
Richard QuadlingSenior Software DeverloperCommented:
URL auth is visible plain text.
BASIC auth is not a lot better.
NTLM auth is a LOT more secure.
0
 
mnb93Author Commented:
You could cheat as basic auth is ...

http://user:password@www.site.com/page.html

So how do I know if it worked?
0
 
Richard QuadlingSenior Software DeverloperCommented:
Your php script gets a response that is NOT a security error.

How are you making the call?
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now