Skip to content

Instantly share code, notes, and snippets.

@rchrd2
Forked from westonruter/test-php-basic-auth.php
Last active February 1, 2024 21:18
Show Gist options
  • Save rchrd2/c94eb4701da57ce9a0ad4d2b00794131 to your computer and use it in GitHub Desktop.
Save rchrd2/c94eb4701da57ce9a0ad4d2b00794131 to your computer and use it in GitHub Desktop.
PHP basic auth example
<?php
function require_auth() {
$AUTH_USER = 'admin';
$AUTH_PASS = 'admin';
header('Cache-Control: no-cache, must-revalidate, max-age=0');
$has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));
$is_not_authenticated = (
!$has_supplied_credentials ||
$_SERVER['PHP_AUTH_USER'] != $AUTH_USER ||
$_SERVER['PHP_AUTH_PW'] != $AUTH_PASS
);
if ($is_not_authenticated) {
header('HTTP/1.1 401 Authorization Required');
header('WWW-Authenticate: Basic realm="Access denied"');
exit;
}
}
@cloudeweb
Copy link

cloudeweb commented Feb 14, 2021

Hi! Is safe for protect a directory or url adding these precautions?

  • Are hidden url/folder, don't visible from external
  • Connection is HTTPS

I hope there are no errors in my function.

           public function require_auth()
            {
                
                /*
                    RewriteEngine On
                    RewriteCond %{HTTP:Authorization} ^(.)
                    RewriteRule . - [e=HTTP_AUTHORIZATION:%1]
                */

                $AUTH_USER = 'myUser';
                $AUTH_PASS = 'myPass';

                header('Cache-Control: no-cache, must-revalidate, max-age=0');

                if (! empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']))
                {
                    preg_match('/^Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $AUTH_PASS);
                    
                    $str = base64_decode($AUTH_PASS[1]);
                    
                    list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode(':', $str);
                }
    
                $has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));

                $is_not_authenticated = (
                    !$has_supplied_credentials ||
                    $_SERVER['PHP_AUTH_USER'] != $AUTH_USER || $_SERVER['PHP_AUTH_PW']   != $AUTH_PASS
                );

                if ($is_not_authenticated) {
                    header('HTTP/1.1 401 Authorization Required');
                    header('WWW-Authenticate: Basic realm="Access denied"');
                    exit;
                }

            }

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment