Omega13a's Corner
Contribute To This Site
Submit a Download
Submit a Link
Submit A Review for Omega13a's Corner

This Website Is Best Viewed In Mozilla Firefox 0.9+
You Are Currently Using
  Login or Register
::  Home   ::  Your Account   ::  Forums   ::  UFT Encyclopedia   ::  UFT Writer  ::
2020.53
Omega13a's Wish List
My Amazon.com Wish List
 
Affiliates
Supported by

[ Be A Supporter ]
[ NukeSupporters( tm) ]
 
Navigation
· Hom e
· Rep ort An Error

Omega13a's Corner

· Ome ga13a's Corner Index
· Ana grams
· Ana grams
· Aut ograms
· Aut ograms
· Bum per Stickers
· Bum per Stickers
· Cow Analogies
· Cow Analogies
· Cru el Baby Names
· Cru el Baby Names
· DHT ML Tricks
· DHT ML Tricks
· Dum b Criminals
· Dum b Criminals
· Dum b Headlines
· Dum b Headlines
· Dum b Laws
· Dum b Laws
· Dum b Questions
· Dum b Questions
· Dum b Quotes
· Dum b Quotes
· Dum b Signs
· Dum b Signs
· Dum b Warning Labels
· Dum b Warning Labels
· Eye witness Reports
· Eye witness Reports
· Fea rs
· Fea rs
· Gam es
· Gam es
· Goo gle Searches
· Goo gle Searches
· Gra phing Calculator
· Gra phing Calculator
· Hor oscope
· Hor oscope
· hta ccess Tutorials
· hta ccess Tutorials
· HTM L Manual
· HTM L Manual
· IP Lookup
· IP Lookup
· Jok es
· Jok es
· Mis c Funny Stuff
· Mis c Funny Stuff
· Odd Books
· Odd Books
· Odd Place Names
· Odd Place Names
· Odd Product Names
· Odd Product Names
· Our Solar System
· Our Solar System
· Pal indromes
· Pal indromes
· Pan grams
· Pan grams
· PEA R Manual
· PEA R Manual
· PHP Manual
· PHP Manual
· PHP Nuke Tools
· PHP Nuke Tools
· Poi ntless Quizzes
· Poi ntless Quizzes
· Pri me Numbers
· Pri me Numbers
· Ran dom Quotes
· Ran dom Quotes
· Ran t
· Ran t
· Rev iews
· Rev iews
· Rhy ming Pairs
· Rhy ming Pairs
· Sci -Fi/Fantasy Encyclopedia
· Sci -Fi/Fantasy Encyclopedia
· Wea ther
· Wea ther
· Wei rd Ads
· Wei rd Ads
· Wei rd Wide Web
· Wei rd Wide Web
· Zen Sarcasms
· Zen Sarcasms

Star Trek

·&nbs pBorg Species Designations
· Bor g Species Designations
· FAQ
· FAQ
· Sev Trek
· Sev Trek
· Sta r Trek Alien Sayings
· Sta r Trek Alien Sayings
· Sta r Trek Eggs
· Sta r Trek Eggs
· Sta r Trek Encyclopedia
· Sta r Trek Encyclopedia
· Sta r Trek Episode Guides
· Sta r Trek Episode Guides
· Sta r Trek Goofs
· Sta r Trek Goofs
· Sta r Trek Mysteries
· Sta r Trek Mysteries
· Sta r Trek Reviews
· Sta r Trek Reviews
· Sta r Trek Timeline
· Sta r Trek Timeline
· Tre k Today Headlines
· Tre k Today Headlines
· Wor lds in Star Trek
· Wor lds in Star Trek

Community

· Cha t Bot
· Cha t Bot
· Cha t Room
· Cha t Room
· Fee dback
· Fee dback
· For ums
· For ums
· Gue stbook
· Gue stbook
· Joi n a Webring
· Joi n a Webring
· Joi n the Staff
· Joi n the Staff
· Mem bers List
· Mem bers List
· Pri vate Messages
· Pri vate Messages
· Rec ommend Us
· Rec ommend Us
· Rul es/Terms of Use
· Rul es/Terms of Use
· Sur veys
· Sur veys
· Use r Journals
· Use r Journals
· Vot e For Us
· Vot e For Us
· Win An Award
· Win An Award
· You r Account
· You r Account

Media/Arts

· Dow nloads
· Dow nloads
· Fan Fictions
· Fan Fictions
· Han gman
· Han gman
· Ima ge Gallery
· Ima ge Gallery
· Tec hnobable Generator
· Tec hnobable Generator

Staff Personal Sections

· Lad y Lursa's Reading Corner

Links and Webrings

· Ban ner Exchanges
· Ban ner Exchanges
· Joi n Banner Exchange
· Joi n Banner Exchange
· Lin king To Us
· Lin king To Us
· Top sites
· Top sites
· Web Links
· Web Links
· Web rings
· Web rings

Site Info

· Abo ut the Owner
· Abo ut the Site
· Abo ut the Site
· Abo ut UFT_PHP
· Abo ut UFT_PHP
· Abo ut You
· Awa rds
· Awa rds
· Ban ned Stuff
· Ban ned Stuff
· Cop yright
· Cop yright
· Leg al Information
· Leg al Information
· Mod ifications Installed
· Mod ifications Installed
· Sea rch Results
· Sea rch Results
 
UFT Community

Omega13a's Corner Forums

 
Vote For Us
 
Ads


HTTP authentication with PHP

Chapter 34. HTTP authentication with PHP

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version. In an Apache module PHP script, it is possible to use the header() function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER and $HTTP_SERVER_VARS arrays. Both "Basic" and "Digest" (since PHP 5.1.0) authentication methods are supported. See the header() function for more information.

PHP Version Note: Autoglobals, such as $_SERVER, became available in PHP 4.1.0. $HTTP_SERVER_VARS has been available since PHP 3.

An example script fragment which would force client authentication on a page is as follows:

Example 34_1. Basic HTTP Authentication example

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    
header('WWW_Authenticate: Basic realm="My Realm"');
    
header('HTTP/1.0 401 Unauthorized');
    echo
'Text to send if user hits Cancel button';
    exit;
} else {
    echo
"<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo
"<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

Example 34_2. Digest HTTP Authentication example

This example shows you how to implement a simple Digest HTTP authentication script. For more information read the RFC 2617.

<?php
$realm
= 'Restricted area';

//user => password
$users = array('admin' => 'mypass', 'guest' => 'guest');


if (empty(
$_SERVER['PHP_AUTH_DIGEST'])) {
    
header('HTTP/1.1 401 Unauthorized');
    
header('WWW_Authenticate: Digest realm="'.$realm.
           
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');

    die(
'Text to send if user hits Cancel button');
}


// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
    !isset(
$users[$data['username']]))
    die(
'Wrong Credentials!');


// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);

if (
$data['response'] != $valid_response)
    die(
'Wrong Credentials!');

// ok, valid username & password
echo 'Your are logged in as: ' . $data['username'];


// function to parse the http auth header
function http_digest_parse($txt)
{
    
// protect against missing data
    
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
    
$data = array();

    
preg_match_all('@(\w+)=(?:([\'"])([^\2]+)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);

    foreach (
$matches as $m) {
        
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
        unset(
$needed_parts[$m[1]]);
    }

    return
$needed_parts ? false : $data;
}
?>

Compatibility Note: Please be careful when coding the HTTP header lines. In order to guarantee maximum compatibility with all clients, the keyword "Basic" should be written with an uppercase "B", the realm string must be enclosed in double (not single) quotes, and exactly one space should precede the 401 code in the HTTP/1.0 401 header line. Authentication parameters have to be comma_separated as seen in the digest example above.

Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file.

Watch out for buggy Internet Explorer browsers out there. They seem very picky about the order of the headers. Sending the WWW_Authenticate header before the HTTP/1.0 401 header seems to do the trick for now.

As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally_authenticated user. So, you can use $_SERVER['REMOTE_USER'].

Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.

Note, however, that the above does not prevent someone who controls a non_authenticated URL from stealing passwords from authenticated URLs on the same server.

Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re_enter their username and password. Some people use this to "time out" logins, or provide a "log_out" button.

Example 34_3. HTTP Authentication example forcing a new name/password

<?php
function authenticate() {
    
header('WWW_Authenticate: Basic realm="Test Authentication System"');
    
header('HTTP/1.0 401 Unauthorized');
    echo
"You must enter a valid login ID and password to access this resource\n";
    exit;
}

if (!isset(
$_SERVER['PHP_AUTH_USER']) ||
    (
$_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
    
authenticate();
} else {
    echo
"<p>Welcome: {$_SERVER['PHP_AUTH_USER']}<br />";
    echo
"Old: {$_REQUEST['OldAuth']}";
    echo
"<form action='{$_SERVER['PHP_SELF']}' METHOD='post'>\n";
    echo
"<input type='hidden' name='SeenBefore' value='1' />\n";
    echo
"<input type='hidden' name='OldAuth' value='{$_SERVER['PHP_AUTH_USER']}' />\n";
    echo
"<input type='submit' value='Re Authenticate' />\n";
    echo
"</form></p>\n";
}
?>

This behavior is not required by the HTTP Basic authentication standard, so you should never depend on this. Testing with Lynx has shown that Lynx does not clear the authentication credentials with a 401 server response, so pressing back and then forward again will open the resource as long as the credential requirements haven't changed. The user can press the '_' key to clear their authentication information, however.

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.

Another limitation is if you're using the IIS module (ISAPI) and PHP 4, you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).

Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW_Authenticate header.


Total Hits: 0

Powered by PHPNukePage Protected By Copyscape. Do Not CopyNukeSentinel ProtectedPowered by PEARPowered by PECL

© 2000, 2001, 2002 Trek Archive, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 United Federation of Trek.
Omega's Corner is © 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 omega13a.
Star Trek®, Star Trek: The Next Generation®, Star Trek: Deep Space Nine®, Star Trek: Voyager®, Enterprise®, and Star Trek: Enterprise® are registered trademarks of Paramount Pictures and Viacom. All Star Trek material found on this site is for promotional purposes only, and not personal or financial gain. No infringements on their copyrights is intended.
All logos and trademarks in this site are property of their respective owners. The comments are property of their posters.


ROR Sitemap Google Sitemap

PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.0891 Seconds
Server Load: 1.40
Queries: 24 (0.0283 seconds)
Included 91 files
239 classes defined
46 interfaces defined
0 classes loaded using __autoload()
2,614 functions defined
4,342 constants defined

:: subBlack phpbb2 style by spectre :: PHP-Nuke theme by www.nukemods.com ::

This Website Is Best Viewed In Mozilla Firefox 0.9+
You Are Currently Using

UFT's Webring of Sci-Fi and Fantasy
UFT's Webring of Sci-Fi and Fantasy
Previous site : Random : Next site : List sites
Powered by PHP-Ring
Psychology News
Scitrek webring
Scitrek webring
Previous site : Random : Next site : List sites
Powered by .PHP-Ring
Psychology News
robots.txt
Contributors Contact Us