Authentication methods
0 likes892 views
This document discusses different methods for authenticating users, including HTTP authentication, PHP authentication, and hard-coded authentication. HTTP authentication uses a 401 response to prompt for username and password, but does not encrypt the credentials. PHP authentication uses the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables to store and validate credentials. Hard-coded authentication checks credentials directly in the code, but has drawbacks like all users sharing the same credentials and difficulty changing them. The document also discusses using Apache .htaccess files and the header() and isset() PHP functions to implement authentication.
![Authenticating Your Users with PHP
• PHP’s Authentication Variables
• PHP uses two predefined variables to authenticate a user:
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. These
variables store the username and password values, respectively.
• While authenticating is as simple as comparing the expected username and
password to these variables
• Both variables must be verified at the start of every restricted page. You can easily
accomplish this by authenticating the user prior to performing any other action on
the restricted page, which typically means placing the authentication code in a
separate file and then including that file in the restricted page using the require()
function.
• These variables do not function properly with the CGI version of PHP.
• Useful Functions Two standard functions are commonly used when handling
authentication via PHP: header() and isset(). Both are introduced in this section.](https://image.slidesharecdn.com/authenticationmethods-170705132409/85/Authentication-methods-6-320.jpg)
![Sending HTTP Headers with header()
• The header() function sends a raw HTTP header to the browser. The header
parameter specifies the header information sent to the browser. Its prototype follows:
• void header(string header [, boolean replace [, int http_response_code]])
• The optional replace parameter determines whether this information should replace or
accompany a previously sent header. Finally, the optional http_response_code parameter
defines a specific response code that will accompany the header information.
• Applied to user authentication, this function is useful for sending the WWW
authentication header to the browser, causing the pop-up authentication prompt to be
displayed.
• It is also useful for sending the 401 header message to the user if incorrect
authentication credentials are submitted.](https://image.slidesharecdn.com/authenticationmethods-170705132409/85/Authentication-methods-7-320.jpg)
![Determining if a Variable is Set with isset()
• The isset() function determines whether a variable has been assigned a value. Its
prototype follows:
• boolean isset(mixed var [, mixed var [,...]])
• It returns TRUE if the variable contains a value and FALSE if it does not.
• As applied to user authentication, the isset() function is useful for determining
whether the $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW'] variables are properly set.](https://image.slidesharecdn.com/authenticationmethods-170705132409/85/Authentication-methods-8-320.jpg)
![Hard-Coded Authentication
• The simplest way to restrict resource access is by hard-coding the username and
password directly into the script.
• In the example shown in next slide, if $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW'] are equal to client and secret, respectively, the code
block will not execute, and anything ensuing that block will execute.
• Otherwise, the user is prompted for the username and password until either the
proper information is provided or a 401 Unauthorized message is displayed due to
multiple authentication failures.
• Drawbacks:
• Foremost, all users requiring access to that resource must use the same
authentication pair
• Second, changing the username or password can be done only by entering the
code and making the manual adjustment. The next two methodologies remove
these issues.](https://image.slidesharecdn.com/authenticationmethods-170705132409/85/Authentication-methods-9-320.jpg)
Authentication methods
- 1. Authenticating Your Users BY SANA MATEEN
- 2. HTTPAuthentication Concepts • The HTTP protocol offers a fairly effective means for user authentication, with a typical authentication scenario proceeding like this: 1. The client requests a restricted resource. 2. The server responds to this request with a 401 (Unauthorized access) response message. 3. The browser recognizes the 401 response and produces a pop-up authentication prompt . All modern browsers are capable of understanding HTTP authentication and offering appropriate capabilities, including Internet Explorer, Netscape Navigator, Mozilla Firefox, and Opera. 4. The user-supplied credentials (typically a username and password) are sent back to the server for validation. If the user supplies correct credentials, access is granted; otherwise it’s denied. 5. If the user is validated, the browser stores the authentication information within its cache. This cache information remains within the browser until the cache is cleared, or until another 401 server response is sent to the browser.
- 3. Limitation • Although HTTP authentication effectively controls access to restricted resources, it does not secure the channel in which the authentication credentials travel. • That is, it is possible for a well-positioned attacker to sniff, or monitor, all traffic taking place between a server and a client, and within this traffic are the unencrypted username and password. • To eliminate the possibility of compromise through such a method, you need to implement a secure communications channel, typically accomplished using Secure Sockets Layer (SSL). • SSL support is available for all mainstream web servers, including Apache and Microsoft Internet Information Server (IIS).
- 4. Using Apache’s .htaccess Feature • Blanket access control • The simplest form of access control is to authorize certain users for either read-only access to a repository or read/write access to a repository. • You’ll take advantage of this feature by creating a file named .htaccess and storing it within the directory you’d like to protect. Therefore, if you’d like to restrict access to an entire website, place this file within your site’s root directory. • In its simplest format, the .htaccess file’s contents look like this: • AuthUserFile /path/to/.htpasswd • AuthType Basic • AuthName "My Files" • Require valid-user • Replace /path/to with the path that points to another requisite file named .htpasswd. • This file contains the username and password which the user must supply in order to access the restricted content. • However, as a reference, the typical .htpasswd file looks like this: • admin:TcmvAdAHiM7UY • client:f.i9PC3.AtcXE • Each line contains a username and password pair, with the password encrypted to prevent prying eyes from potentially obtaining the entire identity. • When the user supplies a password, Apache will encrypt the provided password using the same algorithm originally used to encrypt the password stored in the .htpasswd file, comparing the two for equality.
- 6. Authenticating Your Users with PHP • PHP’s Authentication Variables • PHP uses two predefined variables to authenticate a user: $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. These variables store the username and password values, respectively. • While authenticating is as simple as comparing the expected username and password to these variables • Both variables must be verified at the start of every restricted page. You can easily accomplish this by authenticating the user prior to performing any other action on the restricted page, which typically means placing the authentication code in a separate file and then including that file in the restricted page using the require() function. • These variables do not function properly with the CGI version of PHP. • Useful Functions Two standard functions are commonly used when handling authentication via PHP: header() and isset(). Both are introduced in this section.
- 7. Sending HTTP Headers with header() • The header() function sends a raw HTTP header to the browser. The header parameter specifies the header information sent to the browser. Its prototype follows: • void header(string header [, boolean replace [, int http_response_code]]) • The optional replace parameter determines whether this information should replace or accompany a previously sent header. Finally, the optional http_response_code parameter defines a specific response code that will accompany the header information. • Applied to user authentication, this function is useful for sending the WWW authentication header to the browser, causing the pop-up authentication prompt to be displayed. • It is also useful for sending the 401 header message to the user if incorrect authentication credentials are submitted.
- 8. Determining if a Variable is Set with isset() • The isset() function determines whether a variable has been assigned a value. Its prototype follows: • boolean isset(mixed var [, mixed var [,...]]) • It returns TRUE if the variable contains a value and FALSE if it does not. • As applied to user authentication, the isset() function is useful for determining whether the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables are properly set.
- 9. Hard-Coded Authentication • The simplest way to restrict resource access is by hard-coding the username and password directly into the script. • In the example shown in next slide, if $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are equal to client and secret, respectively, the code block will not execute, and anything ensuing that block will execute. • Otherwise, the user is prompted for the username and password until either the proper information is provided or a 401 Unauthorized message is displayed due to multiple authentication failures. • Drawbacks: • Foremost, all users requiring access to that resource must use the same authentication pair • Second, changing the username or password can be done only by entering the code and making the manual adjustment. The next two methodologies remove these issues.