Authenticating Your Users

BY
SANA MATEEN

HTTP Authentication Concepts

The HTTP protocol offers a fairly effective means for user authentication, with a typical
authentication scenario proceeding like this:
1. The client requests a restricted resource.
2. The server responds to this request with a 401 (Unauthorized access) response message.
3. The browser recognizes the 401 response and produces a pop-up authentication
prompt . All modern browsers are capable of understanding HTTP authentication
and offering appropriate capabilities, including Internet Explorer, Netscape
Navigator, Mozilla Firefox, and Opera.
4. The user-supplied credentials (typically a username and password) are sent back to the
server for validation. If the user supplies correct credentials, access is granted; otherwise
its denied.
5. If the user is validated, the browser stores the authentication information within its
cache. This cache information remains within the browser until the cache is
cleared, or until another 401 server response is sent to the browser.

Limitation

Although HTTP authentication effectively controls access to restricted resources, it

does not secure the channel in which the authentication credentials travel.
That is, it is possible for a well-positioned attacker to sniff, or monitor, all traffic
taking place between a server and a client, and within this traffic are the
unencrypted username and password.
To eliminate the possibility of compromise through such a method, you need to
implement a secure communications channel, typically accomplished using Secure
Sockets Layer (SSL).
SSL support is available for all mainstream web servers, including Apache and
Microsoft Internet Information Server (IIS).

Using Apaches .htaccess Feature

Blanket access control
The simplest form of access control is to authorize certain users for either read-only access to a
repository or read/write access to a repository.
Youll take advantage of this feature by creating a file named .htaccess and storing it within the
directory youd like to protect. Therefore, if youd like to restrict access to an entire website, place
this file within your sites root directory.
In its simplest format, the .htaccess files contents look like this:
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "My Files"
Require valid-user
Replace /path/to with the path that points to another requisite file named .htpasswd.
This file contains the username and password which the user must supply in order to access the
restricted content.
However, as a reference, the typical .htpasswd file looks like this:
admin:TcmvAdAHiM7UY
client:f.i9PC3.AtcXE
Each line contains a username and password pair, with the password encrypted to prevent prying
eyes from potentially obtaining the entire identity.
When the user supplies a password, Apache will encrypt the provided password using the same
algorithm originally used to encrypt the password stored in the .htpasswd file, comparing the two
for equality.

Authenticating Your Users with PHP

PHPs Authentication Variables

PHP uses two predefined variables to authenticate a user:
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. These
variables store the username and password values, respectively.
While authenticating is as simple as comparing the expected username and
password to these variables
Both variables must be verified at the start of every restricted page. You can easily
accomplish this by authenticating the user prior to performing any other action on
the restricted page, which typically means placing the authentication code in a
separate file and then including that file in the restricted page using the require()
function.
These variables do not function properly with the CGI version of PHP.
Useful Functions Two standard functions are commonly used when handling
authentication via PHP: header() and isset(). Both are introduced in this section.

Sending HTTP Headers with header()

The header() function sends a raw HTTP header to the browser. The header
parameter specifies the header information sent to the browser. Its prototype follows:
void header(string header [, boolean replace [, int http_response_code]])
The optional replace parameter determines whether this information should replace or
accompany a previously sent header. Finally, the optional http_response_code parameter
defines a specific response code that will accompany the header information.
Applied to user authentication, this function is useful for sending the WWW
authentication header to the browser, causing the pop-up authentication prompt to be
displayed.
It is also useful for sending the 401 header message to the user if incorrect
authentication credentials are submitted.

Determining if a Variable is Set with isset()

The isset() function determines whether a variable has been assigned a value. Its
prototype follows:
boolean isset(mixed var [, mixed var [,...]])
It returns TRUE if the variable contains a value and FALSE if it does not.
As applied to user authentication, the isset() function is useful for determining
whether the $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW'] variables are properly set.

Hard-Coded Authentication

The simplest way to restrict resource access is by hard-coding the username and
password directly into the script.
In the example shown in next slide, if $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW'] are equal to client and secret, respectively, the
code block will not execute, and anything ensuing that block will execute.
Otherwise, the user is prompted for the username and password until either the
proper information is provided or a 401 Unauthorized message is displayed due to
multiple authentication failures.
Drawbacks:
Foremost, all users requiring access to that resource must use the same
authentication pair
Second, changing the username or password can be done only by entering the
code and making the manual adjustment. The next two methodologies remove
these issues.