By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,132 Members | 1,425 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,132 IT Pros & Developers. It's quick & easy.

the header 'WWW-Authenticate'

P: n/a
I had a question about the use of the HTTP header 'WWW-Authenticate'
in PHP scripts. For example, the script below sends the header 'WWW-
Authenticate: Basic Realm="Secret Stash"', followed by the header
'HTTP/1.0 401 unauthorized', to force the web browser to display a
username/password dialog. The script then calls exit().

I don't understand how the script gets re-invoked (after the username
and password have been supplied in the dialog box and user has clicked
OK)
because the script called exit() after issuing the two header() calls.

I understand that once the username and password have been supplied
that $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] set.
But how does the server know to re-invoke the same script a second
time? After all the script just did an exit() after sending the
headers.

<?php
// Preset authentication status to false.
$authorized = FALSE;

if (isset($_SERVER['PHP_AUTH_USER']) &&
isset($_SERVER['PHP_AUTH_PW'])) {

// Read the authentication file into an array
$authFile = file("./authenticationFile.txt");

// Cycle through each line in file, searching for
authentication match.
foreach ($authFile as $login) {

list($username, $password) = explode(":", $login);

// Remove the newline from the password
$password = trim($password);

if ($username == $_SERVER['PHP_AUTH_USER'] &&
$password == md5($_SERVER['PHP_AUTH_PW'])) {

$authorized = TRUE;
break;
}
}
}

// If not authorized, display authentication prompt or 401 error
if (! $authorized) {

header('WWW-Authenticate: Basic Realm="Secret Stash"');
header('HTTP/1.0 401 Unauthorized');
print('You must provide the proper credentials! Buster!!!');
exit;
}
// restricted material goes here...
?>

Sep 22 '08 #1
Share this Question
Share on Google+
3 Replies


P: n/a
ku***@pobox.com wrote:
I had a question about the use of the HTTP header 'WWW-Authenticate'
in PHP scripts. For example, the script below sends the header 'WWW-
Authenticate: Basic Realm="Secret Stash"', followed by the header
'HTTP/1.0 401 unauthorized', to force the web browser to display a
username/password dialog. The script then calls exit().

I don't understand how the script gets re-invoked (after the username
and password have been supplied in the dialog box and user has clicked
OK)
because the script called exit() after issuing the two header() calls.
<snipped example>

Your script first checks if a username and a password are given and
exits only if that is not the case, sending a request header for
authentication.

The client asks for the page (without the password and username being
sent), gets the request header and then displays a login dialog.
When the user has filled in the username and password, the page is
requested again, but now with credentials. So the browser just requests
the same page again with different headers.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/
Sep 22 '08 #2

P: n/a
When the user has filled in the username and password, the page is
requested again, but now with credentials. So the browser just requests
the same page again with different headers.
Thanks Willem for the reply. While I did understand the logic of the
script, I wasn't familiar with was the fact that the http server
remembers the script that issued the
header('WWW-Authenticate: Basic Realm="Secret Stash"');
header('HTTP/1.0 401 Unauthorized');
and re-invokes. So it is the http server that "remembers" and then re-
invokes the same script that issued the 'wwww-Authenticate'.
Sep 22 '08 #3

P: n/a
In our last episode,
<20**********************************@d1g2000hsg.g ooglegroups.com>,
the lovely and talented ku***@pobox.com
broadcast on comp.lang.php:
>When the user has filled in the username and password, the page is
requested again, but now with credentials. So the browser just requests
the same page again with different headers.
Thanks Willem for the reply. While I did understand the logic of the
script, I wasn't familiar with was the fact that the http server
remembers the script that issued the
header('WWW-Authenticate: Basic Realm="Secret Stash"');
header('HTTP/1.0 401 Unauthorized');
and re-invokes. So it is the http server that "remembers" and then re-
invokes the same script that issued the 'wwww-Authenticate'.
Errr...no. It's the browser. Try reading the response again.

--
Lars Eighner <http://larseighner.com/us****@larseighner.com
I have not seen as far as others because giants were standing on my shoulders.
Sep 22 '08 #4

This discussion thread is closed

Replies have been disabled for this discussion.