PHP HTTP login example. This code implements and HTTP login operation. If a user successfully logs in (for simplicity it hard codes this value, but, in practice this would involve a database lookup) it saves this in a cookie ($_COOKIE['logged']) referenced by the key 'logged'. If a user returns they are automatically "connected" and the Welcome message is displayed.

If the user fails to provide both the username and password or they are not valid, the header() function is used to redirect the user to the authentication / login prompt. In fact, this is what happens the first time this script is run. HTTP authentication is specificed in the header("WWW-Authenticate: Basic realm=\"Test Realm\""); function call. Information about HTTP authentication can be found at http://www.faqs.org/rfcs/rfc2617.html ( basic HTTP is at http://www.faqs.org/rfcs/rfc2616).

Authentication Scheme:

Different authentciation schemes can be used. Here "Basic" is specified. This means the client must authenticate with a user and password for each realm specified. Here we call our realm "Test Realm" wich is an arbitrary string we have choosen. The realm in HTTP authentication is the string that the browser/agent displays when asking the user for their login and password. This should indicate to the user what login and password to enter.

User Id and Password

In HTTP Authentication, the user entered in information will be stored in the server configuration information accessed in PHP by the $_SERVER array. In particular, the keys 'PHP_AUTH_USER' for the user id and 'PHP_AUTH_PW' will access this information.

<?php 

   // add this line if you want to create some php funcitons for formatting...ignore for now
   //include 'util.inc';
   // Login credentials.
   // instead of hard coding you would do a look up in a database
   // with the entered in user login.
   define('USER', 'lynne');
   define('PASSWD', 'wow');
   //if user previsouly logged in, then this may be noted by
   // the cookied referenced by the key 'logged'
   $logged_in = $_COOKIE['logged'];
   // If we don't have cookie or a password, ask the browser to ask for a
   // password.
   // note the second part of the conditional is looking for
   // something a key called PHP_AUTH_USER in the predefined $_SERVER arrray
   // which is a PHP predefined array contianing info about headers, paths, etc.
   //  PHP_AUTH_USER contains the username when  doing HTTP authentication in the
   // PHP server.
   // so, if no previsouly loged in cookie and no username set, respond with a
   // message
   if(!$logged_in && !array_key_exists('PHP_AUTH_USER', $_SERVER)) {
   header("WWW-Authenticate: Basic realm=\"Test Realm\"");
   header("HTTP/1.0 401 Unauthorized");
   echo 'Password Needed';
   }
   // See if there's no cookie, but a passwd.
   if(!$logged_in && array_key_exists('PHP_AUTH_USER', $_SERVER)) {
   // Gave login&password, no cookie.  Check user & password.
   if($_SERVER['PHP_AUTH_USER'] == USER &&
   $_SERVER['PHP_AUTH_PW'] == PASSWD)
   // Set the cookie for a week.
   setcookie('logged', '1', time() + 7 * 24 * 60 * 60);
   else
   {
   header("WWW-Authenticate: Basic realm=\"Test Realm\"");
   header("HTTP/1.0 401 Unauthorized");
   echo 'Password Incorrect';
   }
 }
echo "Welcome ..login successful";
?>
   </body>
   </html>
 

Try it out now

© Lynne Grewe