When addressing the need to authenticate a web page (and subsequent pages/resources), integrating user
authentication directly into the design of the web application logic is both convenient (in the sense that
additional layers of communication is unnecessary) and flexible (in the sense that it is easier to integrate
into other applications/scripts when contained in one location). PHP allows three types of authentication:
Hard-coded, file-based and database authentication.
Authentication Variables
Within PHP, there are two pre-defined variables that are used in the authentication of users:
• $_SERVER['PHP_AUTH_USER'] - This variable holds the username that is needed for
authentication.
• $_SERVER['PHP_AUTH_PW'] - This variable holds the password that is needed for
authentication.
Limitations of Authentication Variables
When using the predefined authentication variables, it is important to keep in mind the following
limitations:
• Both variables must be verified at the start of every page. This limitation can be overcome by
having each restricted page wrapped in authentication code (in a separate file) using the REQUIRE()
function.
• The functions do not work properly with the CGI version of PHP - When running PHP through a
web server, there are two distinct options: running it using PHP's CGI SAPI, or running it as a module
for the web server. The CGI version has the advantage of having the php.ini read every time a PHP
page is called up; thus allowing changes in the php.ini to take place immediately (not requiring a
restart of the web server). However, the fact that every time a PHP file is read, the php.ini has to be
read, set its settings and load all of its extensions prior to actually reading the script makes this choice
an unreasonable choice for production environments (may be appropriate in development because
changes made can be seen immediately).
• These functions do not work on Microsoft's IIS server - the username and password are assigned
to the $_SERVER['HTTP_AUTHENTICATION'] variable and must be parsed to obtain the separate
username and password
authentication directly into the design of the web application logic is both convenient (in the sense that
additional layers of communication is unnecessary) and flexible (in the sense that it is easier to integrate
into other applications/scripts when contained in one location). PHP allows three types of authentication:
Hard-coded, file-based and database authentication.
Authentication Variables
Within PHP, there are two pre-defined variables that are used in the authentication of users:
• $_SERVER['PHP_AUTH_USER'] - This variable holds the username that is needed for
authentication.
• $_SERVER['PHP_AUTH_PW'] - This variable holds the password that is needed for
authentication.
Limitations of Authentication Variables
When using the predefined authentication variables, it is important to keep in mind the following
limitations:
• Both variables must be verified at the start of every page. This limitation can be overcome by
having each restricted page wrapped in authentication code (in a separate file) using the REQUIRE()
function.
• The functions do not work properly with the CGI version of PHP - When running PHP through a
web server, there are two distinct options: running it using PHP's CGI SAPI, or running it as a module
for the web server. The CGI version has the advantage of having the php.ini read every time a PHP
page is called up; thus allowing changes in the php.ini to take place immediately (not requiring a
restart of the web server). However, the fact that every time a PHP file is read, the php.ini has to be
read, set its settings and load all of its extensions prior to actually reading the script makes this choice
an unreasonable choice for production environments (may be appropriate in development because
changes made can be seen immediately).
• These functions do not work on Microsoft's IIS server - the username and password are assigned
to the $_SERVER['HTTP_AUTHENTICATION'] variable and must be parsed to obtain the separate
username and password
Comments
Post a Comment