php http authentication

jaandrws

The following code continues to ask for authentication even if I enter the right username (foo) and password (bar). What am I doing wrong?

<?
if ( $auth != 1 ) {	 //if the user isn't authenticated

header( "WWW-Authenticate: Basic realm=\"Authorization Required!\"" ); //this makes the browser generate a login box
header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
exit; //this makes the script exit, and the user session ends. No script for you!
}


$auth = 0; // Assume user is not authenticated
if (($PHP_AUTH_USER == "foo" ) && ($PHP_AUTH_PW == "bar" )) $auth = 1; //If all is well, consider the user authenticated


?>
<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>test</title>

</head>
<body>
<p>You must have entered the right password.</p>
</body>
</html>

laserlight

You should be using $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] instead of $PHP_AUTH_USER and $PHP_AUTH_PW respectively. Change, see if it works. If it does not, we'll take another look.

jaandrws

I changed the line to read:

if (($SERVER['PHP_AUTH_USER'] == "foo" ) && ($SERVER['PHP_AUTH_PW'] == "bar" )) $auth = 1; //If all is well, consider the user authenticated

with no change in behavior.

laserlight

hmm... I suggest trying this instead:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])
    || !($_SERVER['PHP_AUTH_USER'] == 'foo' && $_SERVER['PHP_AUTH_PW'] == 'bar'))
{
    header('WWW-Authenticate: Basic realm="Authorization Required!"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Authorization Required!';
    exit;
}
else
{
?>
<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>test</title>

</head>
<body>
<p>You must have entered the right password.</p>
</body>
</html>
<?php
}
?>

jaandrws

That worked. Can you tell me why? Is this authentication for that page good until the user quits their browser? One other thing, how do I require on another page that the username has already been entered here on this one?

laserlight

That worked. Can you tell me why?

Honestly, I do not use HTTP authentication, so I adapted the example from the PHP manual.

Is this authentication for that page good until the user quits their browser?

Yes.

One other thing, how do I require on another page that the username has already been entered here on this one?

You can use the same code. I expect that $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] should still be available.

jaandrws

Can you tell me what the purpose of the || is? I've seen people use it, but I don't know its purpose.
Example:
if (!isset($SERVER['PHP_AUTH_USER'], $SERVER['PHP_AUTH_PW'])
|| !($SERVER['PHP_AUTH_USER'] == 'foo' && $SERVER['PHP_AUTH_PW'] == 'bar'))

Horizon88

It means "or".

jaandrws

I would have thought the following modification would enable me to connect this script to a database of different members, but it gives me the error:

Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/.sites/110/site133/web/indexer.php on line 6

How can I modify this script to authenticate from a database?

<?php

$link = mysql_connect("&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;","&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;","&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;") or die("Could not connect: ".mysql_error());
        mysql_select_db("ositoweb")or die("Could not select database: ".mysql_error());

$query = "SELECT id,uname, pword FROM ithf_members WHERE uname = '$SERVER['PHP_AUTH_USER']' and pword = '$SERVER['PHP_AUTH_PW']'";
$result = mysql_query($query) or die("Could not perform query: ".mysql_error());
$row = mysql_fetch_array($result);
$uname = $row['uname'];
$pword = $row['pword'];

if (!isset($SERVER['PHP_AUTH_USER'], $SERVER['PHP_AUTH_PW'])
|| !($SERVER['PHP_AUTH_USER'] == $uname && $SERVER['PHP_AUTH_PW'] == $pword))
{
header('WWW-Authenticate: Basic realm="Authorization Required!"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required!';
exit;
}
else
{
?>
<html>
<head>

</head>
<body>
<p>You must have entered the right password.</p>
<a href="indexem.php">Click here to test multi page authentication.</a>
</body>
</html>
<?php
}
?>

laserlight

$query = "SELECT id,uname, pword FROM ithf_members WHERE uname = '$SERVER['PHP_AUTH_USER']' and pword = '$SERVER['PHP_AUTH_PW']'";

should be:

$query = sprintf("SELECT id,uname, pword FROM ithf_members WHERE uname = '%s' and pword = '%s'",
                 mysql_real_escape_string($_SERVER['PHP_AUTH_USER']),
                 mysql_real_escape_string($_SERVER['PHP_AUTH_PW']));

Basically, the first problem has to do with a syntax error concerning PHP strings, the second is a potential error allowing SQL injection.