It is possible to use the header() function to send a message "Authentication Required" browser, forcing it to show a window for entering your login and password. Once the user fills out the login and password, the link containing the PHP script will be called again with the predefined variables PHP_AUTH_USER , PHP_AUTH_PW , and AUTH_TYPE set to login, password, and authentication type respectively. These predefined variables are stored in the $_SERVER and $HTTP_SERVER_VARS arrays. Both types are supported: "Basic" and "Digest" (since PHP 5.1.0). See the header() function for more details.
An example of a script fragment that forces the client to log in to view the page:
Example #1 Basic HTTP Authentication Example
Example #2 Digest HTTP Authentication Example
This is an example implementation of a simple Digest HTTP authentication script. For details, see » RFC 2617.
Note: Compatibility note
Be especially careful when specifying HTTP headers. To ensure maximum compatibility with the largest number different clients, the word "Basic" must be written with a capital "B", the region (realm) must be enclosed in double (not single!) quotes, and exactly one space must precede the code 401 in the title HTTP/1.0 401. Authentication parameters must be separated by commas, as shown in the Digest authentication example above.
Instead of simply displaying the PHP_AUTH_USER and PHP_AUTH_PW variables on the screen, you may need to check that they are correct. To do this, use a database query or search for a user in a dbm file.
You can observe the features of the browser Internet Explorer. It is very picky about the parameters of the transmitted headers. The title trick WWW-Authenticate before sending status HTTP/1.0 401 works for him so far.
As of PHP 4.3.0, in order to prevent someone from writing a script that reveals the password for a page that uses external authentication, the PHP_AUTH variables are not set if the page is using external authentication and is set to secure mode. However, the REMOTE_USER variable can be used to authenticate an externally authenticated user. So you can always use the $_SERVER["REMOTE_USER"] variable.
Note: Configuration note
PHP uses directive indication AuthType to indicate whether external authentication is used or not.
It should be noted that all of the above does not prevent the theft of passwords to pages that require authorization by someone who controls pages without authorization located on the same server.
Both Netscape Navigator and Internet Explorer clear the current window's authentication cache for a given realm when received from the server. This can be used to force the user to log out and re-display the username and password dialog box. Some developers use this to time-limit logins or provide a logout button.
Example #8 Example of HTTP authentication with forced entry of a new login/password pair
This behavior is not regulated by standards HTTP Basic-authentication, hence you should not depend on it. Browser testing Lynx showed that Lynx does not clear the authorization cache when receiving a 401 status from the server, and by clicking sequentially “Back” and then “Forward” it is possible to open such a page, provided that the required authorization attributes have not changed. However, the user can press the key "_" to clear the authentication cache.
It should also be noted that prior to PHP 4.3.3, HTTP authentication did not work on servers running Microsoft IIS if PHP was installed as a CGI module, due to some IIS limitations. In order to achieve correct operation in PHP 4.3.3+, you must edit configuration setting IIS called " Directory Security". Click on the inscription " Edit" and set the option " Anonymous Access", all other fields should remain unchecked.
Another limitation if you are using IIS via ISAPI and PHP 4: variables PHP_AUTH_* are not defined, but at the same time the variable is available HTTP_AUTHORIZATION. Example code you could use: list($user, $pw) = explode(":", base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6)));
Note: Note regarding IIS:
In order for HTTP authentication to work correctly in IIS, in the PHP configuration the cgi.rfc2616_headers option must be set to 0
(default value).
Note:
In case safe mode is used, the UID of the current script will be added to realm-header part WWW-Authenticate.
Good day, friends! Let's look at user registration in PHP. First, let's define the conditions for our user registration:
- The password is encrypted using the MD5 algorithm
- We will salt the password
- Checking if your login is busy
- User activation by letter.
- Recording and storing data in the MySQL DBMS
To write this script, we need to understand what user registration is. User registration means obtaining real user data, processing and storing data.
If you explain in simple words then registration is just recording and storing certain data by which we can authorize the user in our case - this is Login and Password.
Authorization is the granting of rights to a certain person or group of persons to perform certain actions, as well as the process of verifying these rights when attempting to perform these actions. Simply put, with the help of authorization, we can limit access to certain content on our website.
Let's look at the structure of script directories for implementing our registration with authorization. We need to break the scripts into logical components. We placed the registration and authorization modules in a separate directory. We will also place the connection to the database in separate directories MySQL data, file with user functions, file CSS styles and ours HTML template. This structure allows you to quickly navigate through scripts. Imagine that you have a large website with a bunch of modules, etc. and if there is no order, it will be very difficult to find something in such a mess.
Since we will store all the data in the MySQL DBMS, let's create a small table in which we will store registration data.
First you need to create a table in the database. Let's call the table bez_reg where bez is the table prefix, and reg is the name of the table.
Table structure: bez_reg -- -- Table structure `bez_reg` -- CREATE TABLE IF NOT EXISTS `bez_reg` (`id` int(11) NOT NULL AUTO_INCREMENT, `login` varchar(200) NOT NULL, `pass` varchar( 32) NOT NULL, `salt` varchar(32) NOT NULL, `active_hex` varchar(32) NOT NULL, `status` int(1) NOT NULL, PRIMARY KEY (`id`)) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ; Now let's create the main scripts for further work. File INDEX.PHPCONFIG.PHP file
less/reg/?mode=auth">Login