PHP MySQL - Stilson.net

www.it-ebooks.infoCHAPTER 14 • AUTHENTICATING YOUR USERScontent. In a moment, I’ll show you how to generate these username/password pairs using thecommand-line, meaning you won’t actually edit the .htpasswd file; however, as a reference, the typical.htpasswd file looks like this:admin:TcmvAdAHiM7UYclient:f.i9PC3.AtcXEEach line contains a username and password pair, with the password encrypted to prevent pryingeyes from potentially obtaining the entire identity. When the user supplies a password, Apache willencrypt the provided password using the same algorithm originally used to encrypt the password storedin the .htpasswd file, comparing the two for equality.If you plan on only restricting a single directory (and therefore all of its subdirectories), I suggestmanaging the .htaccess and .htpasswd files within the same directory; otherwise, if you’d like to restrictseveral different directories, you can use a consolidated .htpasswd file and point to its location bymodifying the /path/to accordingly.To generate the username and password, open a terminal window and execute the followingcommand:%>htpasswd -c .htpasswd clientAfter executing this command, you’ll be prompted to create and confirm a password which will beassociated with the user named client. Once complete, if you examine the contents of the .htpasswdfile, you’ll see a line which looks similar to the second line of the sample .htpasswd file shown above. Youcan subsequently create additional accounts by executing the same command but omitting the -coption (which tells htpasswd to create a new .htpasswd file).Once your .htaccess and .htpasswd files are in place, try navigating to the newly restricted directoryfrom your browser. If everything is properly configured, you’ll be greeted with an authentication windowsimilar to that in Figure 14-1.Authenticating Your Users with PHPThe remainder of this chapter examines PHP’s built-in authentication feature and demonstrates severalauthentication methodologies that you can immediately begin incorporating into your applications.PHP’s Authentication VariablesPHP uses two predefined variables to authenticate a user: $_SERVER['PHP_AUTH_USER'] and$_SERVER['PHP_AUTH_PW']. These variables store the username and password values, respectively. Whileauthenticating is as simple as comparing the expected username and password to these variables, thereare two important caveats to keep in mind when using these predefined variables:• Both variables must be verified at the start of every restricted page. You can easilyaccomplish this by authenticating the user prior to performing any other actionon the restricted page, which typically means placing the authentication code in aseparate file and then including that file in the restricted page using the require()function.305