Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PHP, HTTP Basic Authentication and C# 2

Status
Not open for further replies.
southbeach

southbeach

Programmer
Jan 22, 2008
879
US
I have never heard of HTTP Basic Authentication till earlier this afternoon. I've done some reading and found out that it is not the end of the world but I still had to learn about it.

Having looked around for a while I cannot find what I say would be a definitive answer to this question:

It appears that PHP can easily check for user name and password (
Q. How then is data string passed by client to server?
Q. How is the PHP called upon, regardless if it is a C#, PHP or ASP client?
Q. Can anyone point me to samples or some material I can read to learn more about this?

Thanks!




--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.
 
Sort by date Sort by votes
Hi

SouthBeach said:
I have never heard of HTTP Basic Authentication till earlier this afternoon.
Click to expand...
No surprise if you looked at the web more from a programmer's point of view. HTTP Authentication is much more useful for static content, where no script/program is involved in serving. It is rarely used together with dynamic content. HTTP Authentication can be handled by the web servers based on some simple configuration. By the way, as possible you should consider using the more safe HTTP Digest Authentication instead.

SouthBeach said:
Q. How then is data string passed by client to server?
Click to expand...
What kind of data ? The server sends the requirement for authentication and the client sends the credential / hash in HTTP headers. See the Example with explanation section in Wikipedia's Digest access authentication article.

SouthBeach said:
Q. How is the PHP called upon, regardless if it is a C#, PHP or ASP client?
Click to expand...
Not sure what you asked here. HTTP Authentication is fundamentally handled by the web server which sets the [tt]REMOTE_USER[/tt] environment variable to the name of the currently authenticated user. That should be accessible in any CGI script / application framework / whatever run by the same web server. Of course, beside that every web server / module / library / framework will make available some additional information and convenient methods to simplify the handling of authentication.

SouthBeach said:
Q. Can anyone point me to samples or some material I can read to learn more about this?
Click to expand...
As I see the web server related forum you visit here is forum65, so I suggest to learn about the HTTP Authentication from Apache's Authentication and Authorization howto. The mechanism itself is described in RFC 2617.


Feherke.
feherke.github.io
 
Upvote 0 Downvote
Q. How then is data string passed by client to server?
Click to expand...

the interaction is like this:
1. the client asks the web server for a resource.
2. the server checks whether the client is authenticated. if it is not, the server sends basic authentication headers
3. the client receives these headers and understanding them asks the user for a user name and password for the relevant realm.
4. the user enters the information and the browser sends the username and password (in colon-concatenated base64_encoded text) to the server in the request header, together with any post-data (if relevant) from the initial request.
5. the client is then authenticated by the server. The client will continue to send these auth-details to the server for every request.

Q. How is the PHP called upon, regardless if it is a C#, PHP or ASP client?
Click to expand...

for http authentication to function with php you need to be using php as a sapi (i think). so it cannot be configured as a cgi.
in this configuration you would not have htaccess set up to restrict page access based on basic authentication, instead relying on php to handle this.
the server passes the received user name and password to php and php makes those available in the $_SERVER super global. You must then programmatically validate those credentials and either do nothing (if the combination is request) or send authentication headers back to the client and kill the connection (to force the username combo to be reentered)

Code: 
if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER'] != 'justin' || $_SERVER['PHP_AUTH_PW'] != 'mypassword') {
    header('[URL unfurl="true"]WWW-Authenticate:[/URL] Basic realm="My Protected Web Page"');
    header('HTTP/1.0 401 Unauthorized');
    die('');
endif;

Q. Can anyone point me to samples or some material I can read to learn more about this?
Click to expand...

there's not much more to it than the above. but feherke's links will be a great start if you need more.

remember that basic auth is not secure, in that the password is just encoded and not encrypted. it can be very easily decoded. you can implement digest security in php too should you wish.

second thing to remember is that you cannot style the login boxes that the browser's show on receiving a 401 return. this is the main reason, I think, why you do not see this kind of authentication regime more often used.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PeDa
  • Locked
  • Question
Basic Authentication fails to authenicate
Replies
0
Views
113
PeDa
PeDa
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
233
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
205
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
218
vishvajit
vishvajit
lflynnlrf
  • Locked
  • Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
109
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top