# HTTP Authentication PHP

If you have any experience with the Web, you're familiar with basic HTTP authentication. You request a page, and a small dialog window appears asking for username and password. PHP allows you to open URLs with the fopen function. You can even specify a username and password in the URL in the same way you do in Navigator's location box. Authentication is implemented using HTTP headers, and you can protect your PHP pages using the header function.

To protect a page with basic HTTP authentication, you must send two headers. The WWW-Authenticate header tells the browser that a username and password are required. It also specifies a realm that groups pages. A username and password are good for an entire realm, so users don't need to authenticate themselves with each page request. The other header is the status, which should be HTTP/1.0 401 Unauthorized.

Compare this to the usual header, HTTP/1.0 200 OK. This is an example of protecting a single page. The HTML to make a page is put into functions because it needs to be printed whether the authentication succeeds or fails. The PHP_AUTH_USER and PHP_AUTH_PW variables are created automatically by PHP if a username and password are passed by the browser. The example requires my name, leon, for the username and secret for the password. A more complex scheme might match username and password against a list stored in a file or a database.

Requiring Authentication

<?
/*
** Define a couple of functions for
** starting and ending an HTML document
*/
function startPage()
{
print("<HTML> ");
print("<TITLE>Listing 18.1</TITLE> ");
print("<BODY> ");
}
function endPage()
{
print("</BODY> ");
print("</HTML> ");
}
/*
*/
if(($PHP_AUTH_USER == "leon") AND ($PHP_AUTH_PW ==
"secret"))
{
startPage();
print("You have logged in successfully!<BR> ");
endPage();
}
else
{
//send headers to cause a browser to request
Protected Area"");
//show failure text
Authentication.<br> ");
print("Use <B>leon</B> for the username, and
<B>secret</B> ");
}
?>

Now that you know how to protect a page, it may be instructive to workthe other direction, requesting a protected page. As I said earlier, the fopen function allows you to specify username and password as part of a URL, but you may have a more complicated situation where you need to use fsockopen. An Authentication request header is necessary. The value of this header is a username and password separated by a colon.

This string is base64 encoded, in compliance with the HTTP specification. You may need to mod- ify the URI to make it work on your Web server. The script assumes you have installed all the examples on your Web server in /corephp/listings. If you are wondering about the at the end of each line, recall that all lines sent to HTTP servers must end in a carriage return and a linefeed.

Requesting a Protected Document

<?
//open socket
if(!($fp = fsockopen("localhost", 80))) { print("Couldn't open socket!<BR> "); exit; } //make request for document fputs($fp, "HEAD /corephp/listings/18-1.php
HTTP/1.0 ");
fputs($fp, "Authorization: Basic " . base64_encode("leon:secret") . " "); //end request fputs($fp, " ");