Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PHP basic auth example
<?php
function require_auth() {
$AUTH_USER = 'admin';
$AUTH_PASS = 'admin';
header('Cache-Control: no-cache, must-revalidate, max-age=0');
$has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));
$is_not_authenticated = (
!$has_supplied_credentials ||
$_SERVER['PHP_AUTH_USER'] != $AUTH_USER ||
$_SERVER['PHP_AUTH_PW'] != $AUTH_PASS
);
if ($is_not_authenticated) {
header('HTTP/1.1 401 Authorization Required');
header('WWW-Authenticate: Basic realm="Access denied"');
exit;
}
}
@EvilFreelancer

This comment has been minimized.

Copy link

@EvilFreelancer EvilFreelancer commented Sep 8, 2017

Nice solution, thanks!

@rrgarciach

This comment has been minimized.

Copy link

@rrgarciach rrgarciach commented Nov 10, 2017

thanks! thumbs up!

@mathritter

This comment has been minimized.

Copy link

@mathritter mathritter commented Feb 22, 2018

Give this man a cookie! Thumbs up!

@orhanbhr

This comment has been minimized.

Copy link

@orhanbhr orhanbhr commented May 24, 2018

Thank you for your code :)

@iranwz

This comment has been minimized.

Copy link

@iranwz iranwz commented Jun 30, 2018

Thank you <3

@infabo

This comment has been minimized.

Copy link

@infabo infabo commented Aug 1, 2018

does not work

@matryoshkababushka

This comment has been minimized.

Copy link

@matryoshkababushka matryoshkababushka commented Aug 9, 2018

Appreciate that, works.

@bazuzu931

This comment has been minimized.

Copy link

@bazuzu931 bazuzu931 commented Oct 24, 2018

thanks

@namcoder

This comment has been minimized.

Copy link

@namcoder namcoder commented Jan 11, 2019

awesome

@CriptoCosmo

This comment has been minimized.

Copy link

@CriptoCosmo CriptoCosmo commented Jan 14, 2019

Nice solution 👍

@Kaoschuks

This comment has been minimized.

Copy link

@Kaoschuks Kaoschuks commented Mar 10, 2019

Beautiful solution.
Can I have digest authentication ???

@Cozy19

This comment has been minimized.

Copy link

@Cozy19 Cozy19 commented Apr 26, 2019

Great! Thank you MAN!

@Pax125

This comment has been minimized.

Copy link

@Pax125 Pax125 commented May 10, 2019

Thank you. This is testing if authentication is properly set.
What I need to know is, how to setup $_SERVER['PHP_AUTH_USER']
Do I just, assign it a parameter $_SERVER['PHP_AUTH_USER'] = $enteredvalue; ?

@PandCar

This comment has been minimized.

Copy link

@PandCar PandCar commented Jun 30, 2019

function require_http_auth()
{
/*
# Если CGI, то в .htaccess
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.)
RewriteRule .
- [e=HTTP_AUTHORIZATION:%1]
*/

header('Cache-Control: no-cache, must-revalidate, max-age=0');

if (! empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']))
{
	preg_match('/^Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $user_pass);
	
	$str = base64_decode($user_pass[1]);
	
	list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode(':', $str);
}

$has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));

$is_not_authenticated = (
	! $has_supplied_credentials 
	|| $_SERVER['PHP_AUTH_USER'] != AUTH_USER 
	|| $_SERVER['PHP_AUTH_PW']   != AUTH_PASS
);

if ($is_not_authenticated)
{
	header('HTTP/1.1 401 Authorization Required');
	header('WWW-Authenticate: Basic realm="Access denied"');
	exit;
}

}

@rchrd2

This comment has been minimized.

Copy link
Owner Author

@rchrd2 rchrd2 commented Jul 1, 2019

@mathritter someone just gave me a cookie!

@sruthibc

This comment has been minimized.

Copy link

@sruthibc sruthibc commented Feb 5, 2020

Awesome. Thanks!

@cloudeweb

This comment has been minimized.

Copy link

@cloudeweb cloudeweb commented Feb 14, 2021

Hi! Is safe for protect a directory or url adding these precautions?

  • Are hidden url/folder, don't visible from external
  • Connection is HTTPS

I hope there are no errors in my function.

           public function require_auth()
            {
                
                /*
                    RewriteEngine On
                    RewriteCond %{HTTP:Authorization} ^(.)
                    RewriteRule . - [e=HTTP_AUTHORIZATION:%1]
                */

                $AUTH_USER = 'myUser';
                $AUTH_PASS = 'myPass';

                header('Cache-Control: no-cache, must-revalidate, max-age=0');

                if (! empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']))
                {
                    preg_match('/^Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $AUTH_PASS);
                    
                    $str = base64_decode($AUTH_PASS[1]);
                    
                    list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode(':', $str);
                }
    
                $has_supplied_credentials = !(empty($_SERVER['PHP_AUTH_USER']) && empty($_SERVER['PHP_AUTH_PW']));

                $is_not_authenticated = (
                    !$has_supplied_credentials ||
                    $_SERVER['PHP_AUTH_USER'] != $AUTH_USER || $_SERVER['PHP_AUTH_PW']   != $AUTH_PASS
                );

                if ($is_not_authenticated) {
                    header('HTTP/1.1 401 Authorization Required');
                    header('WWW-Authenticate: Basic realm="Access denied"');
                    exit;
                }

            }

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment