Chapitre 17. Authentification HTTP avec PHP

A few notes on authentication in which it's possible I overlooked some
things.  Considering a prior post about using the same salt for all users
so you can match passwords; I think it would be better to not do so, as
you can figure out the salt from the password and match.  (Example, salt
in DES if I'm not mistaken is the first 2 characters)
  Something I've been trying to figure out is secure apache module PHP on
a multi-user server.  
  Delima (with postgres)- any user can write a PHP page to read another
users databases.  Set your database to connect using username and
password, and any user can read your username and password from wherever
you place them.  (use PHP function to read it and as it has to be readable
by your web process for you to read it, they can)  
  The closest I've come to a solution for this is to run php as a CGI
module with suexec or cgiwrap.  
  Hopefuly someone else has a better solution; otherwise, something to
think about before you think of your databases as being secure with php
interfacing to them.

Someone gave me a simple solution to the 'logout' problem: add some sort of
timestamp to the basic realm you send in the WWW_Authenticate header. Mine
now is: $realm="RealmName (
".strftime("%c",time())." )";. (btw: the problem
was: 1) IE4 asks for the page one more time after a 401, defeating sending
a 401 once to force a user to log on again. and 2) IE4 remembers the
password, and puts it default in the logon window. Changing the realm
solves these problems, not the 'logon failed' message of NS though).

As an alternative check out PHPLIB at:


And the PHP Builder beginning/tutorial article called, "Session
Management and Authentication with PHPLIB" at 

I had the same problem as above (that is, with apache I can't get the auth
info). The solution I found goes like this:

$headers = getallheaders();
$auth=$headers[authorization];
if ($auth=='') { $auth=$headers[Authorization]; }

if($auth=='')
{
	Header("WWW-Authenticate: Basic
realm=\"$PROG_NAME\"");
	Header("HTTP/1.0 401 Unauthorized");
}

list($user, $pass) = explode(":", base64_decode(substr($auth,
6)));

Here is a code for the public sites enabling both logout bottom and timeout
using php+mysql. Working for both browsers.
The part "required" for each user protected page:

<?
function auth () {
        Header("WWW-Authenticate: Basic realm=\"ArmFN public
site\"");
        Header("HTTP/1.0 401 Unauthorized");
        echo "You have to authentificate yourself first \n";
        exit;
}

mysql_connect("localhost","train","") or
die("Unable to connect to SQL server"); 
mysql_select_db( "train") or die( "Unable to select
database"); 

if(!isset($PHP_AUTH_USER)) {

$timeout =
mktime(date(G),date(i)+10,0,date("m"),date("d"),date("Y"));
mysql_query("update users set login='$timeout' where id='$user' and
pasw='$pass'") or die("k");

	auth();

			} else {

    $pass = $PHP_AUTH_PW;
    $user = $PHP_AUTH_USER;

$nowtime =
mktime(date(G),date(i),0,date("m"),date("d"),date("Y"));
$quer2 = mysql_query("select * from users where id='$user' and
pasw='$pass' and login > '$nowtime'") or die("kuk2");

    if (mysql_num_rows($quer2) == "0") {
$timeout =
mktime(date(G),date(i)+10,0,date("m"),date("d"),date("Y"));
mysql_query("update users set login='$timeout' where id='$user' and
pasw='$pass'") or die("k");

auth();
}
		}
?>

You can have a "logout" bottom with hidden
$go="logout" form element and then have somewhere this part:

if ($do == "logout") {
mysql_connect("localhost","train","") or
die("Unable to connect to SQL server"); 
mysql_select_db( "train") or die( "Unable to select
database"); 
mysql_query("update users set login=0 where id='$PHP_AUTH_USER' and
pasw='$PHP_AUTH_PW'") or die("k");
}

Good day.I've solved a problem where IE4 asks for the age one more time
after a 401, defeating sending a 401 once to force a user to log on
again.

  function  authenticate()  {
    setcookie("noauth","");
    Header( "WWW-authenticate:  Basic
realm=\"test\"");
    Header( "HTTP/1.0  401  Unauthorized");
	echo "You must enter user name";
   exit ;
  }
  if  (   !isset($PHP_AUTH_USER) ||  ($logoff==1) &&
$noauth=="yes"  )   {
	authenticate();
  }  

And logoff link -
 
<a
href="samehtml.phtml?logoff=1">Logoff</a></td>

Dmitry Alyekhin

The new Mozilla browser doesn't seem to like the switched authentication
lines. 

This doesn't work (I have build 2000101308):

Header( "WWW-authenticate: Basic realm=\"test\"");
Header( "HTTP/1.0 401 Unauthorized");

The first time you authenticate all seems ok, but the second time it
always returns unauthorized.

This works as it should:

Header( "HTTP/1.0 401 Unauthorized");
Header( "WWW-authenticate: Basic realm=\"test\"");

If you were trying to read the contents of $PHP_AUTH_USER or $PHP_AUTH_PW
from inside a function, you would first have to globalize them:

function Authenticat () {
    global $PHP_AUTH_USER;
    global $PHP_AUTH_PW;

    ...
}

Otherwise, PHP assumes that those variables are local to the function
Authenticate () and initializes them with NULL values.

When calling in a function and using the $PHP_AUTH_USER and $PHP_AUTH_PW
against mysql connect I found I needed to omit the isset call and just
do:
if(!$PHP_AUTH_USER or !$PHP_AUTH_PW). Otherwise the
mysql_connect('host',$PHP_AUTH_USER,$PHP_AUTH_PW) call returns a value.
Also, in the checking for mysql_connect return value, I need to include
the auth headers again to get things working as expected.

I suggest to read RFC2617 (HTTP Authentication: Basic and Digest Access
Authentication) and related RFCs.

Thanks to [email protected] for the rfc note needed to solve this
one. This looks like it flushed out the authentication headers on both
Netscape and IE:
Header("WWW-Authenticate: Basic realm=\"Whatever Realm\",
stale=FALSE");

You may enjoy this tutorial :

This is a good resource for setting up htaccess schemes:



The windows version of apache comes with htpasswd.exe in the apache\bin
directory.

The only thing that present problems is you have to change your .htaccess
file to point to the created password file (ie
C:\directory\passwords.file)....so if you transfer the file back to a *nix
server it wont find your file.

One (temporary) workaround is changing your local httpd.conf file to point
to a different access file:

AccessFileName htaccess.

You just have to make sure to syncronize your access files.

Im not sure if you can point your htaccess to two password files??
 AuthName "restricted stuff"
 AuthType Basic
 AuthUserFile /usr/local/etc/httpd/users
 AuthUserFile C:\directory\password.file
 require valid-user

If register_globals is turned off PHP_AUTH_USER and PHP_AUTH_PW variables
will not be set, instead they are stored in $HTTP_SERVER_VARS array as
$HTTP_SERVER_VARS['PHP_AUTH_USER'] and HTTP_SERVER_VARS['PHP_AUTH_PW'].

in 4.1.0 the variables are:

$_SERVER["PHP_AUTH_USER"]  and 
$_SERVER["PHP_AUTH_PW"]

Does anyone know how to do the opposite ie: passing a username and password
to the http server in order for it to authenticate a given protected
directory???

Restrict access by username, password AND ip address:

<?
function authenticate() {
	header("WWW-Authenticate: Basic realm=\":-!\"");
	header("HTTP/1.0 401 Unauthorized");
	print("You must enter a valid login username and password 
		to access this resource.\n");
	exit;
	}
if(!isset($PHP_AUTH_USER)){ authenticate(); }
else {
	$c=mysql_pconnect("server.name","user","password");
	mysql_select_db("dbname",$c);
	$q=sprintf("SELECT username,password FROM authenticateTable
		WHERE username='%s' AND password=PASSWORD('%s') 
		AND ipaddress='%s'",
			$PHP_AUTH_USER,$PHP_AUTH_PW,$REMOTE_ADDR);
	$q=mysql_query($q);
	if(mysql_num_rows($q)==0){ authenticate(); } 
}
?>

To get it to work with IIS try using this code before setting your
"$auth = 0" and the "if (isset($PHP_AUTH_USER) &&
isset($PHP_AUTH_PW))"

//////////////////////////////////////////

if ($PHP_AUTH_USER == "" && PHP_AUTH_PW == ""
&& ereg("^Basic ", $HTTP_AUTHORIZATION)) 
{ 
  list($PHP_AUTH_USER, $PHP_AUTH_PW) = 
    explode(":", base64_decode(substr($HTTP_AUTHORIZATION, 6)));

}

//////////////////////////////////////////

It worked for me on IIS 5 and PHP 4 in ISAPI

I tried the method posted by
[email protected] for a logout feature, which seems to be a problem for
users of http authentication. Tigran's method is perfect, except that
after you log out, you can STILL access the pages by clicking on
"cancel" when prompted again by the Java window. 
This will trigger the 401 error. But it will also create an entry in the
history folder. 

You will notice the "forward" button on your browser becomes
clickable. You only have to click on the that "forward" button
to be able to access the protected pages. 

I have found a solution for this problem by using a little Javascript to
refresh to another page.

Please go to my website for details:

I use apache's built in support for .htaccess, and the following function
to grab user details as required.

Function GetHttpAuth()
{
        $headers = getallheaders();
        $auth=explode(" ",$headers[Authorization]);
if ($auth=='') { $auth=explode(" " ,$headers[authorization]); }

        $authdec=base64_decode($auth[1]);
        $autharray=explode(":",$authdec);
        $authname=$autharray[0];
        $authpass=$autharray[1];
        return($autharray);
}

NOTE: For users of 4.2.0 and later. For this to work, you must deal with
the issue of the external variables not being registered in the global
scope by default. The quickest fix is to add register_globals = on to your
php.ini.

If you want to access $PHP_AUTH_USER or $PHP_AUTH_PW variables via the
$GLOBALS variable, here is the good path:

$GlOBALS[_SERVER][$PHP_AUTH_USER]
and
$GlOBALS[_SERVER][$PHP_AUTH_PW]

In the messages above [_SERVER] was unspecified.

This is useful when you want to unset those variables in a function; then
your test for the HTTP login prompt would be:

if ((!isset($PHP_AUTH_USER)) || ($PHP_AUTH_USER=="")
{
header("WWW-Authenticate: Basic realm=\"Login
process\"");
header("HTTP/1.0 401 Unauthorized");
...
}
else
{
 if ( =>here test if log/pass are the good one<= )
{
 ... ok
}
else
{
$GLOBALS['_SERVER']['PHP_AUTH_USER'="";
...error message, user could log again
}
}

The definitive HTTP authorization code:

function login_error()
{
 echo "error - login process failed."
}

if (!isset($PHP_AUTH_USER))
{
 header("WWW-Authenticate: Basic realm=\"Mosaic Authorization
process\"");
 header("HTTP/1.0 401 Unauthorized");

 //Result if user hits cancel button
 login_error();
}
else
{

 //check the login and password
 if('=>test on login and password<=')
 {
  //User is logged
  ...
  ...
 }
 else
 {
  //This re-asks three times the login and password.
  header( "WWW-Authenticate: Basic realm=\"Test Authentication
System\"");
  header("HTTP/1.0 401 Unauthorized");

  //Result if user does not give good login and pass
  login_error();
 }
}

Using the same salt for all things is a bad idea.

Use the first two letters of the username - this also makes moving to
other .htaccess based systems easier :)

A more elegant way to force a new name/password, cf. example 17-2 (if you
don't mind passing the old user in the query string):

<?
if (isset($PHP_AUTH_USER))
{
	if (!isset($prev_user))
	{
		header("Location: );
		exit;
	}
	else
	{
		if ($PHP_AUTH_USER == $prev_user)
		{
			header('WWW-Authenticate: Basic realm="Secure"');
			header('HTTP/1.0 401 Unauthorized');
			exit;
		}
	}
}
else
{
	header('WWW-Authenticate: Basic realm="Secure"');
	header('HTTP/1.0 401 Unauthorized');
	exit;
}
?>

The final set of headers is necessary because some browsers seem to unset
$PHP_AUTH_USER when the location header is sent.

Hi,
Sometimes IE even after closing page remembers $PHP_AUTH_USER and
$PHP_AUTH_PW . is there any way to clean this buffer ?
Thanks.

Now with the new super globals, these variables are stored in the $_SERVER
super global. Just use $_SERVER["PHP_AUTH_USER"] and
$_SERVER["PHP_AUTH_PW"] for PHP 4.1.x and higher.

Seems that REMOTE_USER is only set in .htaccess Authentification not in PHP
header Authentifications

Does anyone know how to do the opposite ie: passing a username and password
to the http server in order for it to authenticate a given protected
directory???

Does anyone know how to do the opposite ie: passing a username and password
to the http server in order for it to authenticate a given protected
directory???

Put it directly into the URL ?

Is it possible to change these variables manually?

$_SERVER["PHP_AUTH_USER"]
$_SERVER["PHP_AUTH_PW"]

that way, it would be easy to make a logout script.