Specifications
Using Basic Authentication in PHP
PHP scripts are generally cross-platform, but using basic authentication relies on environment
variables set by the server. In order for an HTTP authentication script to run on Apache using
PHP as an Apache Module or on IIS using PHP as an ISAPI module, it needs to detect the
server type and behave slightly different. The script in Listing 14.4 will run on both servers.
LISTING 14.4 http.php—PHP Can Trigger HTTP Basic Authentication
<?
// if we are using IIS, we need to set $PHP_AUTH_USER and $PHP_AUTH_PW
if (substr($SERVER_SOFTWARE, 0, 9) == “Microsoft” &&
!isset($PHP_AUTH_USER) &&
!isset($PHP_AUTH_PW) &&
substr($HTTP_AUTHORIZATION, 0, 6) == “Basic “
)
{
list($PHP_AUTH_USER, $PHP_AUTH_PW) =
explode(“:”, base64_decode(substr($HTTP_AUTHORIZATION, 6)));
}
// Replace this if statement with a database query or similar
if ($PHP_AUTH_USER != “user” || $PHP_AUTH_PW != “pass”)
{
// visitor has not yet given details, or their
// name and password combination are not correct
header(‘WWW-Authenticate: Basic realm=”Realm-Name”’);
if (substr($SERVER_SOFTWARE, 0, 9) == “Microsoft”)
header(“Status: 401 Unauthorized”);
else
header(“HTTP/1.0 401 Unauthorized”);
echo “<h1>Go Away!</h1>”;
echo “You are not authorized to view this resource.”;
}
else
{
// visitor has provided correct details
echo “<h1>Here it is!</h1>”;
echo “<p>I bet you are glad you can see this secret page.”;
}
?>
E-commerce and Security
P
ART III
314
18 7842 CH14 3/6/01 3:35 PM Page 314