normal login versus http authentication

phpjaco

hello

I just came across someone elses code using http authentication instead of normal login.

what is the difference and why use http authentication instead of normal authentication?


AuthType Basic

AuthName "someguy"

AuthUserFile "/somehost/.htpasswds/somewebsite/passwd"


require valid-user

in the .htaccess file, the code refers to to an .htpasswds file that I have no access to, how do I recreate an .htpasswds file so that I could replicate his admin section.

any good tutorials would help, have gone throught some tutorials but they did not seem to work

here is the code i tried:

<?php 
if(($_SERVER['PHP_AUTH_USER'] == "foo") && ($_SERVER['PHP_AUTH_PW'] == "bar")) { 
    $auth = 1; 
} else { 
    $auth = 0; 
} 
if ($auth != 1) { 
   header("WWW-Authenticate: Basic realm="Authorization Required!""); 
   header( "HTTP/1.0 401 Unauthorized" ); 
   exit("Authorization Required!");
} 

echo " You have been authorized. Thanks"; 
?>

i tried username = "foo" and password = "bar" but that does not seem to work. so my questions would be:

why does the above example not ever login
and 2. how do i create a /htpasswds file so that i can login. (most of the tutorials I came across were for linux)
and 3. what are the benefits of using this type of authentication over standard mysql/php login

thanks in advance.

etully

If you have access to the .htaccess file, then you can change where it looks for the .htpasswd file... so essentially, you do have access to the .htpasswd file. Although, in the example you gave, it seems to use a file called passwd, not .htpasswd. (You can name the file anything you like).

http authentication is typically more secure because the professionals have already addressed many of the common mistakes that people make when they roll their own php/mysql login.

http authentication is typically faster to implement too because it usually doesn't require any coding on your part.

Both methods have their advantages. Either one can be implemented badly so you can't say that http authentication is always more secure.

By the way, you can't put quotes inside of quotes so this line won't work:
header("WWW-Authenticate: Basic realm="Authorization Required!"");

Try this instead:
$string = "WWW-Authenticate: Basic realm=\"Authorization Required!\"";
header($string);

Or maybe this:
header("WWW-Authenticate: Basic realm='Authorization Required!'");

Google for htaccess for windows to find the syntax to create an .htpasswd file for Windows. I found a number of examples.

phpjaco

should have noticed the quotes earlier but that didnt make a difference however, i still cant get to login with "foo" and "bar"

it just asks me three times to login and then tells me "authorization required"

here is the code again:

<?php 
if(($_SERVER['PHP_AUTH_USER'] == "foo") && ($_SERVER['PHP_AUTH_PW'] == "bar")) { 
    $auth = 1; 
} else { 
    $auth = 0; 
} 
if ($auth != 1) { 
    header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); 
    header( "HTTP/1.0 401 Unauthorized" ); 
    echo "Authorization Required!"; 
    exit(); 
} 

echo "English: You have been authorized."; 
?>

NogDog

I copied your script and ran it on my PC, and it worked fine.

Just wondering: do you have that .htaccess file with the authentication stuff in the same directory or a parent directory of your script? If so, it's being processed before your script ever starts, and is looking for a user/password match for its specified password file.

phpjaco

yes you were right, I had a copy of the htaccess file inside that folder. which is why it didnt work.

thanks, i deleted the original .htaccess file and now it works.