Example 9-4. Script generates an unauthorized response if credentials aren't in request
<?php
function authenticated($username, $password)
{
// If either the username or the password are
// not set, the user is not authenticated
if (!isset($username) || !isset($password))
return false;
// If the username is the same as the password
// then the user is authenticated
if ($username == $password)
return true;
else
return false;
}
//Main --------
if(!authenticated($PHP_AUTH_USER, $PHP_AUTH_PW))
{
// No credentials found - send an unauthorized
// challenge response
header("WWW-Authenticate: Basic realm=\"Flat Foot\"");
header("HTTP/1.0 401 Unauthorized");
// Set up the body of the response that is
// displayed if the user cancels the challenge
?>
<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd" >
<html>
<head>
<title>Web Database Applications</title>
</head>
<body>
<h2>You need a username and password to
access this service</h2>
<p>If you have lost or forgotten your
password, tough!
</body>
</html>
<?php
exit;
}
// The response to authorized users
?>
<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd" >
<html>
<head>
<title>Web Database Applications</title>
</head>
<body>
<h2>Welcome!</h2>
</body>
</html>
The authenticated( ) function returns
false if either the $username
or $password hasn't been set, or
if the two values aren't the same. If the user
credentials fail the test, you respond with the header field
WWW-Authenticate with the encoding scheme
Basic and the realm name Flat
Foot. You can also set the response line to
include the status code 401
Unauthorized. The PHP manual suggests sending the
WWW-Authenticate header before the
HTTP/1.0 401
Unauthorized header to avoid problems
with some versions of Internet Explorer browsers.
The first time a browser requests this page, the script sends a
challenge response containing the 401 Unauthorized
header field. If the user cancels the authentication challenge,
usually by clicking the cancel button in a dialog box that collects
the credentials, the HTML encoded in the challenge response is
displayed.