Basic Authentication with PHP
(October 2006)
This page presents a basic authentication mecanism using PHP and sessions. The following chapters show the details in the PHP files.
Example of this (user: david, password: 12345)
For our authentication mecanism, the bold part is absolutely necessary.
<?
$allowed_users = array('all_but_anonymous');
require('include/authentication.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
...
<body>
...
<?
require('include/auth_display.php');
if ('anonymous' == $user) {
require('include/authentication_form.html');
}
if ($role == 'author') {
// specific code or display here...
...
}
?>
...
</body>
</html>
All other pages for which access is controled must start with:
<?php
$allowed_users = array('all_but_anonymous'); // or array('david', 'amanda');
require('include/authentication.php');
?>
This is the part which controls the access.
Thus, static HTML pages cannot be protected with this mecanism.
<?
session_start();
$user = 'anonymous';
function check_user($user, $md5p) {
$role = FALSE;
$base_file = 's/all';
if (!file_exists($base_file)) return FALSE;
$base = file($base_file);
$found = FALSE;
foreach ($base as $line) {
$line = trim($line);
if ($line[0] == '#') continue;
list($u, $p, $role) = split(':', $line, 3);
$role = trim($role); // reader or author
if ($u == $user && $p == $md5p) return $role;
}
return FALSE;
}
if (isset($_POST['user'])) {
$user = $_POST['user'];
$passwd = $_POST['passwd'];
$md5p = md5($passwd);
//check if this user is correct
$role = check_user($user, $md5p);
if ($role !== FALSE) {
// session
$_SESSION['s_user'] = $user;
$_SESSION['s_role'] = $role;
// cookie
if ($_POST['remember_me'] == 1) {
setcookie('user', $user, time() + 2592000); // 30 days
setcookie('passwd', $md5p, time() + 2592000); // 30 days
}
// do nothing
} else {
?>
<html>
<body>incorrect. please try again.<br/>
<? include('include/authentication_form.html'); ?>
</body>
</html>
<? exit;
}
// end of POST
} elseif (isset($_GET['disconnect']) && $_GET['disconnect'] == 'true') {
session_destroy();
} elseif (isset($_SESSION['s_user'])) {
$user = $_SESSION['s_user'];
$role = $_SESSION['s_role'];
} else {
// look in the cookies
if (isset($_COOKIE['user']) && isset($_COOKIE['passwd'])) {
//echo "user=".$_COOKIE['user']."\n";
//echo "passwd=".$_COOKIE['passwd']."\n";
$role = check_user($_COOKIE['user'], $_COOKIE['passwd']);
if ($role !== FALSE) {
// OK
$user = $_COOKIE['user'];
$_SESSION['s_user'] = $user;
$_SESSION['s_role'] = $role;
} else {
// do nothing
}
}
}
// check if the current page is allowed for the user
if (!isset($allowed_users)) $allowed_users = array();
if (in_array($user, $allowed_users) ||
(in_array('all_but_anonymous', $allowed_users) && $user != 'anonymous')) {
// do nothing
// continue with the current page
} else {
?>
<html>
<body>
<? include('include/auth_display.php'); ?>
You are not allowed to view this page.<br/>
Please log in.<br/>
<? include('include/authentication_form.html'); ?>
</body>
</html>
<? exit;
}
?>
<form method="post">
<table><tr><td align="right">
user : </td><td><input name="user" type="text"/><br/>
</td></tr><tr><td align="right">
password : </td><td><input name="passwd" type="password"/><br/>
</td></tr></table>
<input type="checkbox" value="1" name="remember_me" id="remember_me" />
<label for="remember_me">Remember me next time (use of cookies)</label><br/>
<input type="submit" value="Validate"/>
</form>
This file has to be manually created, and the 's' directory has to be forbidden with a .htaccess file.
# user : md5 password : role (author or reader)
john:f226aaa17379cbe49f3eae6a59da02d3:author
david:827ccb0eea8a706c4c34a16891f84e7b:author
amanda:3eb883e9b7478e5dba99757849b1843f:author
family:529bf951b3425238bd4befce11055026:reader
<?
if ('anonymous' == $user) echo "You are identified as <b>anonymous</b>.";
else {
echo "You are identified as <b>$user</b>";
echo " (<a href=\"?disconnect=true\">Log out</a>).";
}
echo "<br>\n";
?>