stut.devSnippet: HTTP authentication in PHP
HTTP authentication is the easiest way to make a page or area of a website secure. It’s very easy to accomplish with pure PHP, so no web server configuration is required making it a lot more portable.
This function implements a very simple HTTP Basic Auth authentication system. Simply call it before you do anything else in your script, pass it an array of valid users (username => password), an optional description of what’s being secured and it will do the rest.
function authenticate($users = array(), $realm = false)
{
// $users should be an array of user => password.
if (count($users) == 0) {
// No users given, add a default.
$users['admin'] = 'password';
}
// If no realm was given, add a default.
if ($realm === false) {
$realm = 'Restricted area';
}
// If we haven't been passed a username via basic auth, ask for one.
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="'.$realm.'"');
header('HTTP/1.0 401 Unauthorized');
die('<html><head><title>Unauthorised</title></head><body><h1>Unauthorised</h1><p>You are not authorised to view this page</p></body></html>');
} elseif (!isset($users[$_SERVER['PHP_AUTH_USER']]) or $users[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) {
die('<html><head><title>Unauthorised</title></head><body><h1>Unauthorised</h1><p>You are not authorised to view this page</p></body></html>');
}
}
Example usage:
$valid_users = array(
'stuart' => 'abracadabra',
'jim' => 'zarniwoop',
'slartibartfast' => 'fjords',
);
authenticate($valid_users, 'My Secure Area');
Note that the function doesn’t return anything or throw any exceptions. If it can’t validate the user it will end the script after sending back an appropriate response.