Skip to content

Instantly share code, notes, and snippets.

@rchrd2
Forked from westonruter/test-php-basic-auth.php
Last active February 1, 2024 21:18
Show Gist options
  • Save rchrd2/c94eb4701da57ce9a0ad4d2b00794131 to your computer and use it in GitHub Desktop.
Save rchrd2/c94eb4701da57ce9a0ad4d2b00794131 to your computer and use it in GitHub Desktop.
PHP basic auth example
<?php
function require_auth() {
$AUTH_USER = 'admin';
$AUTH_PASS = 'admin';
header('Cache-Control: no-cache, must-revalidate, max-age=0');
$has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));
$is_not_authenticated = (
!$has_supplied_credentials ||
$_SERVER['PHP_AUTH_USER'] != $AUTH_USER ||
$_SERVER['PHP_AUTH_PW'] != $AUTH_PASS
);
if ($is_not_authenticated) {
header('HTTP/1.1 401 Authorization Required');
header('WWW-Authenticate: Basic realm="Access denied"');
exit;
}
}
@Pax125
Copy link

Pax125 commented May 10, 2019

Thank you. This is testing if authentication is properly set.
What I need to know is, how to setup $_SERVER['PHP_AUTH_USER']
Do I just, assign it a parameter $_SERVER['PHP_AUTH_USER'] = $enteredvalue; ?

@PandCar
Copy link

PandCar commented Jun 30, 2019

function require_http_auth()
{
/*
# Если CGI, то в .htaccess
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.)
RewriteRule .
- [e=HTTP_AUTHORIZATION:%1]
*/

header('Cache-Control: no-cache, must-revalidate, max-age=0');

if (! empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']))
{
	preg_match('/^Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $user_pass);
	
	$str = base64_decode($user_pass[1]);
	
	list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode(':', $str);
}

$has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));

$is_not_authenticated = (
	! $has_supplied_credentials 
	|| $_SERVER['PHP_AUTH_USER'] != AUTH_USER 
	|| $_SERVER['PHP_AUTH_PW']   != AUTH_PASS
);

if ($is_not_authenticated)
{
	header('HTTP/1.1 401 Authorization Required');
	header('WWW-Authenticate: Basic realm="Access denied"');
	exit;
}

}

@rchrd2
Copy link
Author

rchrd2 commented Jul 1, 2019

@mathritter someone just gave me a cookie!

@sruthibc
Copy link

sruthibc commented Feb 5, 2020

Awesome. Thanks!

@cloudeweb
Copy link

cloudeweb commented Feb 14, 2021

Hi! Is safe for protect a directory or url adding these precautions?

  • Are hidden url/folder, don't visible from external
  • Connection is HTTPS

I hope there are no errors in my function.

           public function require_auth()
            {
                
                /*
                    RewriteEngine On
                    RewriteCond %{HTTP:Authorization} ^(.)
                    RewriteRule . - [e=HTTP_AUTHORIZATION:%1]
                */

                $AUTH_USER = 'myUser';
                $AUTH_PASS = 'myPass';

                header('Cache-Control: no-cache, must-revalidate, max-age=0');

                if (! empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']))
                {
                    preg_match('/^Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $AUTH_PASS);
                    
                    $str = base64_decode($AUTH_PASS[1]);
                    
                    list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode(':', $str);
                }
    
                $has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));

                $is_not_authenticated = (
                    !$has_supplied_credentials ||
                    $_SERVER['PHP_AUTH_USER'] != $AUTH_USER || $_SERVER['PHP_AUTH_PW']   != $AUTH_PASS
                );

                if ($is_not_authenticated) {
                    header('HTTP/1.1 401 Authorization Required');
                    header('WWW-Authenticate: Basic realm="Access denied"');
                    exit;
                }

            }

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment