PHP, HTTP Basic Authentication and C# 2

[southbeach]

I have never heard of HTTP Basic Authentication till earlier this afternoon. I've done some reading and found out that it is not the end of the world but I still had to learn about it.

Having looked around for a while I cannot find what I say would be a definitive answer to this question:

It appears that PHP can easily check for user name and password (

http://php.net/manual/en/features.http-auth.php).

Q. How then is data string passed by client to server?
Q. How is the PHP called upon, regardless if it is a C#, PHP or ASP client?
Q. Can anyone point me to samples or some material I can read to learn more about this?

Thanks!




--
SouthBeach

http://www.fpgroups.com

The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[feherke]

Hi

I have never heard of HTTP Basic Authentication till earlier this afternoon.

No surprise if you looked at the web more from a programmer's point of view. HTTP Authentication is much more useful for static content, where no script/program is involved in serving. It is rarely used together with dynamic content. HTTP Authentication can be handled by the web servers based on some simple configuration. By the way, as possible you should consider using the more safe HTTP Digest Authentication instead.

Q. How then is data string passed by client to server?

What kind of data ? The server sends the requirement for authentication and the client sends the credential / hash in HTTP headers. See the Example with explanation section in Wikipedia's Digest access authentication article.

Q. How is the PHP called upon, regardless if it is a C#, PHP or ASP client?

Not sure what you asked here. HTTP Authentication is fundamentally handled by the web server which sets the [tt]REMOTE_USER[/tt] environment variable to the name of the currently authenticated user. That should be accessible in any CGI script / application framework / whatever run by the same web server. Of course, beside that every web server / module / library / framework will make available some additional information and convenient methods to simplify the handling of authentication.

Q. Can anyone point me to samples or some material I can read to learn more about this?

As I see the web server related forum you visit here is forum65, so I suggest to learn about the HTTP Authentication from Apache's Authentication and Authorization howto. The mechanism itself is described in RFC 2617.


Feherke.
feherke.github.io

 

[jpadie]

Q. How then is data string passed by client to server?

the interaction is like this:
1. the client asks the web server for a resource.
2. the server checks whether the client is authenticated. if it is not, the server sends basic authentication headers
3. the client receives these headers and understanding them asks the user for a user name and password for the relevant realm.
4. the user enters the information and the browser sends the username and password (in colon-concatenated base64_encoded text) to the server in the request header, together with any post-data (if relevant) from the initial request.
5. the client is then authenticated by the server. The client will continue to send these auth-details to the server for every request.

Q. How is the PHP called upon, regardless if it is a C#, PHP or ASP client?

for http authentication to function with php you need to be using php as a sapi (i think). so it cannot be configured as a cgi.
in this configuration you would not have htaccess set up to restrict page access based on basic authentication, instead relying on php to handle this.
the server passes the received user name and password to php and php makes those available in the $_SERVER super global. You must then programmatically validate those credentials and either do nothing (if the combination is request) or send authentication headers back to the client and kill the connection (to force the username combo to be reentered)

if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER'] != 'justin' || $_SERVER['PHP_AUTH_PW'] != 'mypassword') {
    header('[URL unfurl="true"]WWW-Authenticate:[/URL] Basic realm="My Protected Web Page"');
    header('HTTP/1.0 401 Unauthorized');
    die('');
endif;

Q. Can anyone point me to samples or some material I can read to learn more about this?

there's not much more to it than the above. but feherke's links will be a great start if you need more.

remember that basic auth is not secure, in that the password is just encoded and not encrypted. it can be very easily decoded. you can implement digest security in php too should you wish.

second thing to remember is that you cannot style the login boxes that the browser's show on receiving a 401 return. this is the main reason, I think, why you do not see this kind of authentication regime more often used.