PHP Snippet: HTTP Authentication

HTTP authentication is the easiest way to make a page or area of a website secure. It's very easy to accomplish with pure PHP, so no web server configuration is required making it a lot more portable.

This function implements a very simple HTTP Basic Auth authentication system. Simply call it before you do anything else in your script, pass it an array of valid users (username => password), an optional description of what's being secured and it will do the rest.

function authenticate($users = array(), $realm = false)
{
  // $users should be an array of user => password.
  if (count($users) == 0) {
    // No users given, add a default.
    $users['admin'] = 'password';
  }

  // If no realm was given, add a default.
  if ($realm === false) {
    $realm = 'Restricted area';
  }

  // If we haven't been passed a username via basic auth, ask for one.
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="'.$realm.'"');
    header('HTTP/1.0 401 Unauthorized');
    die('<html><head><title>Unauthorised</title></head><body><h1>Unauthorised</h1><p>You are not authorised to view this page</p></body></html>');
  } elseif (!isset($users[$_SERVER['PHP_AUTH_USER']]) or $users[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) {
    die('<html><head><title>Unauthorised</title></head><body><h1>Unauthorised</h1><p>You are not authorised to view this page</p></body></html>');
  }
}

Example usage:

$valid_users = array(
    'stuart' => 'abracadabra',
    'jim' => 'zarniwoop',
    'slartibartfast' => 'fjords',
  );
authenticate($valid_users, 'My Secure Area');

Note that the function doesn't return anything or throw any exceptions. If it can't validate the user it will end the script after sending back an appropriate response.

blog comments powered by Disqus