PHP implements two methods for user authentication
- 2020-05-07 19:22:49
- OfStack
When a visitor visits a protected page, the client browser pops up a dialog asking the user to enter a username and password to authenticate the user and determine whether the user has access to the page. Here are two ways to illustrate its implementation.
1. Use HTTP header
The header is the string sent by the server before the HTML message is sent to the browser using the HTTP protocol. HTTP USES a challenge/response mode to authenticate users attempting to enter a password-protected area. Specifically, when the user first makes a request to the WEB server to access the protected area, the challenge process is started and the server returns a special 401 header indicating that the user is unauthenticated. The client browser automatically pops up a dialog after detecting the above response, asking the user to enter a username and password. After the user completes the input and clicks ok, his identity information is sent to the server for verification. If the user enters a valid username and password, the WEB server will allow the user to enter the protected area and keep his or her identity valid throughout the access. In contrast, if the user enters a username or password that fails to pass authentication, the client browser keeps popping up input Windows asking the user to try again to enter the correct information. The whole process will continue until the user enters the correct information location, you can also set the maximum number of attempts to allow the user, beyond which the user's access request will be automatically denied.
In the PHP script, the function header() is used to send the HTTP header directly to the client's browser, so that the user name and password entry window will automatically pop up on the client to achieve our identity authentication. In PHP, the information entered by the client user is automatically saved in three global variables,$PHP_AUTH_USER,$PHP_AUTH_PW, and $PHP_AUTH_TYPE, after it is sent to the server. With these three variables, we can verify the user's identity according to the user account information saved in the data file or database!
However, it is important to note that the three variables $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE can only be used in PHP installed as a module. Validation cannot be implemented if the user is using PHP in CGI mode. The module installation method of PHP is attached after this section.
Now we use the Mysql database to store the user's identity. We need to extract the username and password of each account from the database to determine the authenticity of the user by comparing it with the $PHP_AUTH_USER and $PHP_AUTH_PW variables.
first, create a database of user information in MySql
database name XinXiKu, table name user; The table is defined as follows:
Description:
1. ID is a serial number, which is not zero and increases automatically, and is the primary key;
2. name is the user name and cannot be null;
3. password is the user's password and cannot be null;
The following is the user authentication file login.php
program description:
In the program, first check whether the variable $PHP_AUTH_USER has been set. If not set, the need to verify that a script HTTP 401 error first, tell the client browser needs authentication, the client browser pop-up an authentication window, prompt the user for a user name and password, input is complete, connect to the database, query the username and password is correct, if correct, allow login for related operation, if it's not right, continue to require the user to enter the user name and password.
Description of function:
1, isset () : used to determine whether a variable has been assigned. Returns true or false depending on whether the value of the variable exists
2. header () : used to send a specific HTTP header. Note that when using the header () function, 1 must call it before any HTML or PHP code that produces actual output.
3. mysql_connect(): open the MySQL server connection.
4. mysql_db_query(): send the query string (query) to MySQL database.
5. mysql_fetch_row () : returns the fields of a single column.
2. Implement server validation with session
for pages that require authentication, apache server authentication is best. However, the interface for apache server validation is not very friendly. Moreover, php in cgi mode and php in iis mode cannot be verified using apache server. In this way, we can use session to save the user's identity between different pages for authentication purposes.
On the back end we also use the Mysql database above to store user information.
We first wrote a user login interface, the file name is login.php, the code below:
login1.php processes the submitted form with the following code:
Here to be sure, users can use in the subsequent operations by * * http: / / domainname next php? user= username ** to bypass authentication. Therefore, the subsequent operation should first check whether the variable is registered: registered, the corresponding operation, otherwise regarded as illegal login. The relevant code is as follows:
Appendix: installation method of PHP by module
1. First download the file: mod_php4-4.0.1-pl2. If yours is not PHP4, upgrade!
mod_php4.dll, mod_php4.conf, readme.txt
2. Copy of relevant documents
Copy mod_php4.dll to the modules directory in the apache installation directory
Copy mod_php4.conf to the conf directory in the apache installation directory
Copy the msvcrt.dll file to the apache installation directory
Open the conf/ srm.conf file and add a sentence to it
Include conf/mod_php4 conf
Before doing this, please remove all the Settings for CGI mode from your httpd.conf, which is similar to the following!
ScripAlias /php4/ "C:/php4/"
AddType application/x-httpd-php4 .php
AddType application/x-httpd-php4 .php3
AddType application/x-httpd-php4 .php4
Action application/x-httpd-php4 /php4/php.exe
To make PHP support more suffixes, no problem. Given in the configuration file mod_php4. conf already support three suffix php, php3, php4, if you still want to support more suffix can change this file, it is very simple.
4. Test
with < ? phpinfo(); ? > The test. You will see that Server API has a value of apache instead of cgi, and there is information about HTTP Headers Information.
1. Use HTTP header
The header is the string sent by the server before the HTML message is sent to the browser using the HTTP protocol. HTTP USES a challenge/response mode to authenticate users attempting to enter a password-protected area. Specifically, when the user first makes a request to the WEB server to access the protected area, the challenge process is started and the server returns a special 401 header indicating that the user is unauthenticated. The client browser automatically pops up a dialog after detecting the above response, asking the user to enter a username and password. After the user completes the input and clicks ok, his identity information is sent to the server for verification. If the user enters a valid username and password, the WEB server will allow the user to enter the protected area and keep his or her identity valid throughout the access. In contrast, if the user enters a username or password that fails to pass authentication, the client browser keeps popping up input Windows asking the user to try again to enter the correct information. The whole process will continue until the user enters the correct information location, you can also set the maximum number of attempts to allow the user, beyond which the user's access request will be automatically denied.
In the PHP script, the function header() is used to send the HTTP header directly to the client's browser, so that the user name and password entry window will automatically pop up on the client to achieve our identity authentication. In PHP, the information entered by the client user is automatically saved in three global variables,$PHP_AUTH_USER,$PHP_AUTH_PW, and $PHP_AUTH_TYPE, after it is sent to the server. With these three variables, we can verify the user's identity according to the user account information saved in the data file or database!
However, it is important to note that the three variables $PHP_AUTH_USER, $PHP_AUTH_PW, and $PHP_AUTH_TYPE can only be used in PHP installed as a module. Validation cannot be implemented if the user is using PHP in CGI mode. The module installation method of PHP is attached after this section.
Now we use the Mysql database to store the user's identity. We need to extract the username and password of each account from the database to determine the authenticity of the user by comparing it with the $PHP_AUTH_USER and $PHP_AUTH_PW variables.
first, create a database of user information in MySql
database name XinXiKu, table name user; The table is defined as follows:
create table user(
ID INT(4) NOT NULL AUTO_INCREMENT,
name VARCHAR(8) NOT NULL,
password CHAR(8) NOT NULL,
PRIMARY KEY(ID)
)
Description:
1. ID is a serial number, which is not zero and increases automatically, and is the primary key;
2. name is the user name and cannot be null;
3. password is the user's password and cannot be null;
The following is the user authentication file login.php
// Determines whether the username is set
if(!isset($PHP_AUTH_USER))
{
header("WWW-Authenticate:Basic realm=" Authentication function "");
header("HTTP/1.0 401 Unauthorized");
echo " Authentication failed, you have no right to share network resources !";
exit();
}
/* Connect to database */
$db=mysql_connect("localhost","root","");
// Select database
mysql_select_db("XinXiKu",$db);
// Query for the existence of a user
$result=mysql_query("SELECT * FROM user where name='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'",$db);
if ($myrow = mysql_fetch_row($result))
{
// The following are the relevant actions after successful authentication
...
}
else
{
// Authentication failed, the user is prompted to reenter
header("WWW-Authenticate:Basic realm=" Authentication function "");
header("HTTP/1.0 401 Unauthorized");
echo " Authentication failed, you have no right to share network resources !";
exit();
}
?>
program description:
In the program, first check whether the variable $PHP_AUTH_USER has been set. If not set, the need to verify that a script HTTP 401 error first, tell the client browser needs authentication, the client browser pop-up an authentication window, prompt the user for a user name and password, input is complete, connect to the database, query the username and password is correct, if correct, allow login for related operation, if it's not right, continue to require the user to enter the user name and password.
Description of function:
1, isset () : used to determine whether a variable has been assigned. Returns true or false depending on whether the value of the variable exists
2. header () : used to send a specific HTTP header. Note that when using the header () function, 1 must call it before any HTML or PHP code that produces actual output.
3. mysql_connect(): open the MySQL server connection.
4. mysql_db_query(): send the query string (query) to MySQL database.
5. mysql_fetch_row () : returns the fields of a single column.
2. Implement server validation with session
for pages that require authentication, apache server authentication is best. However, the interface for apache server validation is not very friendly. Moreover, php in cgi mode and php in iis mode cannot be verified using apache server. In this way, we can use session to save the user's identity between different pages for authentication purposes.
On the back end we also use the Mysql database above to store user information.
We first wrote a user login interface, the file name is login.php, the code below:
<form action="login1.php">
The user name :<input type="text" name="name"><br>
mouth make :<input type="text" name="pass"><br>
<input type="submit" value=" The login ">
</form>
login1.php processes the submitted form with the following code:
$db=mysql_connect("localhost","root","");
mysql_select_db("XinXiKu",$db);
$result=mysql_query("SELECT * FROM user where name='$name' and password='$pass'",$db);
if ($myrow = mysql_fetch_row($result))
{
// Registered users
session_start();
session_register("user");
$user=$myrow["user"];
// Authentication successful, the relevant operation
...
}
else
{
echo" Authentication failed, you have no right to share network resources !";
}
?>
Here to be sure, users can use in the subsequent operations by * * http: / / domainname next php? user= username ** to bypass authentication. Therefore, the subsequent operation should first check whether the variable is registered: registered, the corresponding operation, otherwise regarded as illegal login. The relevant code is as follows:
session_start();
if (!session_is_registered("user"))
{
echo " Authentication failed, illegal login !";
}
else
{
// Login successfully to perform the relevant operation
...
}
?>
Appendix: installation method of PHP by module
1. First download the file: mod_php4-4.0.1-pl2. If yours is not PHP4, upgrade!
mod_php4.dll, mod_php4.conf, readme.txt
2. Copy of relevant documents
Copy mod_php4.dll to the modules directory in the apache installation directory
Copy mod_php4.conf to the conf directory in the apache installation directory
Copy the msvcrt.dll file to the apache installation directory
Open the conf/ srm.conf file and add a sentence to it
Include conf/mod_php4 conf
Before doing this, please remove all the Settings for CGI mode from your httpd.conf, which is similar to the following!
ScripAlias /php4/ "C:/php4/"
AddType application/x-httpd-php4 .php
AddType application/x-httpd-php4 .php3
AddType application/x-httpd-php4 .php4
Action application/x-httpd-php4 /php4/php.exe
To make PHP support more suffixes, no problem. Given in the configuration file mod_php4. conf already support three suffix php, php3, php4, if you still want to support more suffix can change this file, it is very simple.
4. Test
with < ? phpinfo(); ? > The test. You will see that Server API has a value of apache instead of cgi, and there is information about HTTP Headers Information.