The following code continues to ask for authentication even if I enter the right username (foo) and password (bar). What am I doing wrong?

<?
if ( $auth != 1 ) {	 //if the user isn't authenticated

header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
exit; //this makes the script exit, and the user session ends. No script for you!
}


$auth = 0; // Assume user is not authenticated
if (($PHP_AUTH_USER == "foo" ) && ($PHP_AUTH_PW == "bar" )) $auth = 1; //If all is well, consider the user authenticated


?>
<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>test</title>

</head>
<body>
<p>You must have entered the right password.</p>
</body>
</html>

    You should be using $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] instead of $PHP_AUTH_USER and $PHP_AUTH_PW respectively. Change, see if it works. If it does not, we'll take another look.

      I changed the line to read:

      if (($SERVER['PHP_AUTH_USER'] == "foo" ) && ($SERVER['PHP_AUTH_PW'] == "bar" )) $auth = 1; //If all is well, consider the user authenticated

      with no change in behavior.

        hmm... I suggest trying this instead:

        <?php
        if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])
            || !($_SERVER['PHP_AUTH_USER'] == 'foo' && $_SERVER['PHP_AUTH_PW'] == 'bar'))
        {
            header('WWW-Authenticate: Basic realm="Authorization Required!"');
            header('HTTP/1.0 401 Unauthorized');
            echo 'Authorization Required!';
            exit;
        }
        else
        {
        ?>
        <html>
        <head>
        
        <meta http-equiv="content-type" content="text/html; charset=utf-8">
        <title>test</title>
        
        </head>
        <body>
        <p>You must have entered the right password.</p>
        </body>
        </html>
        <?php
        }
        ?>

          That worked. Can you tell me why? Is this authentication for that page good until the user quits their browser? One other thing, how do I require on another page that the username has already been entered here on this one?

            That worked. Can you tell me why?

            Honestly, I do not use HTTP authentication, so I adapted the example from the PHP manual.

            Is this authentication for that page good until the user quits their browser?

            Yes.

            One other thing, how do I require on another page that the username has already been entered here on this one?

            You can use the same code. I expect that $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] should still be available.

              Can you tell me what the purpose of the || is? I've seen people use it, but I don't know its purpose.
              Example:
              if (!isset($SERVER['PHP_AUTH_USER'], $SERVER['PHP_AUTH_PW'])
              || !($SERVER['PHP_AUTH_USER'] == 'foo' && $SERVER['PHP_AUTH_PW'] == 'bar'))

                I would have thought the following modification would enable me to connect this script to a database of different members, but it gives me the error:

                Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/.sites/110/site133/web/indexer.php on line 6

                How can I modify this script to authenticate from a database?

                <?php

                $link = mysql_connect("&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;","&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;","&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;") or die("Could not connect: ".mysql_error());
                        mysql_select_db("ositoweb")or die("Could not select database: ".mysql_error());

                $query = "SELECT id,uname, pword FROM ithf_members WHERE uname = '$SERVER['PHP_AUTH_USER']' and pword = '$SERVER['PHP_AUTH_PW']'";
                $result = mysql_query($query) or die("Could not perform query: ".mysql_error());
                $row = mysql_fetch_array($result);
                $uname = $row['uname'];
                $pword = $row['pword'];

                if (!isset($SERVER['PHP_AUTH_USER'], $SERVER['PHP_AUTH_PW'])
                || !($SERVER['PHP_AUTH_USER'] == $uname && $SERVER['PHP_AUTH_PW'] == $pword))
                {
                header('WWW-Authenticate: Basic realm="Authorization Required!"');
                header('HTTP/1.0 401 Unauthorized');
                echo 'Authorization Required!';
                exit;
                }
                else
                {
                ?>
                <html>
                <head>

                <meta http-equiv="content-type" content="text/html; charset=utf-8">
                <title>test</title>

                </head>
                <body>
                <p>You must have entered the right password.</p>
                <a href="indexem.php">Click here to test multi page authentication.</a>
                </body>
                </html>
                <?php
                }
                ?>

                  $query = "SELECT id,uname, pword FROM ithf_members WHERE uname = '$SERVER['PHP_AUTH_USER']' and pword = '$SERVER['PHP_AUTH_PW']'";

                  should be:

                  $query = sprintf("SELECT id,uname, pword FROM ithf_members WHERE uname = '%s' and pword = '%s'",
                                   mysql_real_escape_string($_SERVER['PHP_AUTH_USER']),
                                   mysql_real_escape_string($_SERVER['PHP_AUTH_PW']));

                  Basically, the first problem has to do with a syntax error concerning PHP strings, the second is a potential error allowing SQL injection.

                    Write a Reply...