How exactly does HTTP Authentication with PHP work?

Question

I really don't get it. I don't understand how .htaccess, php and HTTP work together within the topic http-authentication.

how can this be achieved: I have a folder where i want to prevent access to unauthorized people. in this folder i have images, for example, and if the user is authorized, the image should be displayed, if not he should get the possibility to enter a username and password for this one request.

do i need an .htaccess file, that redirects to a php file, that checks and handles the authentication and sends appropriate headers and also outputs the requested file?

or must i do something else? am i to solve this completely different?

Answer 1

• You configure the server to perform authentication before passing the request on to the PHP or
• You write PHP that will check the submitted credentials and return suitable HTTP headers to request them if they are missing or wrong

do i need an .htaccess file

Only if you use the first of the above approaches. Even then, you are usually better off putting the configuration in your main server config (it is more efficient).

that redirects to a php file

If you go with the second approach, you would generally include your authentication code at the top of each page that needs authenticating. (For a simple approach anyway, MVC approaches tend to have a more modular means of doing things).

Answer 2

You have a few options.

1 - Basic Authentication - When a user does a request, apache checks for htaccess file and when basic auth is set, it returns a header for authentication (when no login info has been sent). The webbrowser reacts on that and gives a native login screen. This screen is very well supported by all browsers and password remember tools. When entering the credentials the next requests sent the credentials (unencrypted) each time, so apache doesn't gives the login screen each time. You can read more on it here

How to set it up, create .htaccess file:

AuthName "Protected"
AuthType Basic
AuthUserFile securepath/.htpasswd
Require user authuser

Create the .htpasswd at the command line:

$ adduser authuser
$ passwd authuser
$ htpasswd  -c securepath/.htpasswd  authuser

But many control panels have tools to set this up using an interface.

2 - Own system - You could write your own auth system where in your code you validate whether a user is authorised or not. You can build a login screen where the user when granted gets a cookie that represents the user on your server. But the cookie itself is unencrypted and can be read by others.

The latter gives you the option to the user to have different passwords more easier. And the password isn't sent each time, only the cookie.

For security I advise using SSL/HTTPS connection where everything is encrypted.

Answer 3

You can restrict access to entire folders using Basic Authentication (which is probably the easist to set up). It's fairly straight forward.

The first thing you need is your .htaccess file. This file needs to reside inside of the folder that you want to restrict access to. For example /restrict/.htaccess

This .htaccess file needs to have

#set up basic authentication
AuthType Basic
#provide password verification file
AuthUserFile /PATH_TO_HTPASSWD_FILE/.htpasswd
#set user names as "require user *******"
require user my_username

Then in your .htpasswd file you verify your username/password like so:

my_username:$1$jeTmJQpY$gKrWlJqL6dCCSX62Hspfp0

Verification is done by "username:password" << colon separation, and the password can be stored in various ways (crypt,plain text, sha1, md5). In the above example i chose the password "password" and used crypt as the output.

It is highly recommended to not store the .htpasswd file inside of the same directory.