start blog post

Basic Server Authentication with PHP

Sometimes you want to secure a particular webpage, but don't want to manage users or accounts, write a separate login page, etc. The easy way to authenticate is to use HTTP's WWW-Authenticate response header: 

<?php
    
    $nouser = empty($_SERVER['PHP_AUTH_USER']) || ($_SERVER['PHP_AUTH_USER'] != 'MyUsername');
    $nopass = empty($_SERVER['PHP_AUTH_PW']) || ($_SERVER['PHP_AUTH_PW'] != 'MyPassword');
    
    if ($nouser || $nopass) {
        header('WWW-Authenticate: Basic realm="Geekworks Unlimited, LLC."');
        header('HTTP/1.0 401 Unauthorized');
        echo '<h1>HTTP/1.0 401 Unauthorized</h1>';
    } else {
?>
<!DOCTYPE html>
<html>
    <head>
        <title>My Secret Website</title>
    </head>
    <body>
        Your website content goes here.
    </body>
</html>
<?php    
    }
    
    exit;
    
?>

This checks against a single (hardcoded) username and password, which is fine in simple cases. If you do need to give each user his or her own username and password, you can replace the first two lines with a loop that checks $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] against values in your user database.

One note: You will want to change where it says realm="...". This message is shown in the popup that asks the visitor to input a username and password. It also serves as a possible set of pages to authenticate against. If you include the same realm on multiple pages, the user will only have to log in once in order to visit all of the pages.

var tags = [];

  • share this post:
  • email a friend
  • float this post
  • digg this post
  • share on stumbleupon
  • submit to technorati
  • tweet this post

end blog post

2 Comments

avatarNikke

Feb 18, 2010
That's all very nice and handy, but it's worth noting that this method will only work when PHP is run as an Apache module.

For more info see: http://php.net/manual/en/features.http-auth.php

avatarHB

Feb 18, 2010
Very true, thanks for bringing up that clarification.