Basic Server Authentication with PHP

Basic Server Authentication with PHP

Sometimes you want to secure a particular webpage, but don't want to manage users or accounts, write a separate login page, etc. The easy way to authenticate is to use HTTP's WWW-Authenticate response header:

<?php
    
    $nouser = empty($_SERVER['PHP_AUTH_USER']) || ($_SERVER['PHP_AUTH_USER'] != 'MyUsername');
    $nopass = empty($_SERVER['PHP_AUTH_PW']) || ($_SERVER['PHP_AUTH_PW'] != 'MyPassword');
    
    if ($nouser || $nopass) {
        header('WWW-Authenticate: Basic realm="Geekworks Unlimited, LLC."');
        header('HTTP/1.0 401 Unauthorized');
        echo '<h1>HTTP/1.0 401 Unauthorized</h1>';
    } else {
?>
<!DOCTYPE html>
<html>
    <head>
        <title>My Secret Website</title>
    </head>
    <body>
        Your website content goes here.
    </body>
</html>
<?php    
    }
    
    exit;
    
?>

This checks against a single (hardcoded) username and password, which is fine in simple cases. If you do need to give each user his or her own username and password, you can replace the first two lines with a loop that checks $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] against values in your user database.

One note: You will want to change where it says realm="...". This message is shown in the popup that asks the visitor to input a username and password. It also serves as a possible set of pages to authenticate against. If you include the same realm on multiple pages, the user will only have to log in once in order to visit all of the pages.

Tags