Creating a Secured Area Without Sessions
If using authentication with PHP's session management seems to be too much overhead, you have two other options. First, configure your web server so that only authorized users can access some files or directories. For instance, Apache users might use .htaccess files; http://apache-server.com/tutorials/ATusing-htaccess.html contains some good information about that. Microsoft IIS offers a graphical user interface (GUI) administration of access rights, so that can be done, as well. Using HTTP to Secure PHP Pages (http_authentication.php; excerpt)
<?php
if (!(isset($_SERVER['PHP_AUTH_USER']) &&
isset($_SERVER['PHP_AUTH_PW']) &&
$_SERVER['PHP_AUTH_USER'] == 'Shelley' &&
$_SERVER['PHP_AUTH_PW'] == 'TopSecret')) {
header('WWW-Authenticate: Basic realm="Secured
area"');
header('Status: 401 Unauthorized');
} else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR
However, one more or less platform-independent way is to use authentication via HTTP. If you send an HTTP status code 401 (unauthorized), browsers prompt the client for a username and a password. This information is then available using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']however, only if you are running PHP as a server module, not in Common Gateway Interface (CGI) mode. You can then check this and decide whether to send out a 401 header again or to show the page's actual contents. The preceding listing shows an implementation for that. Figure 5.10 shows the prompt for username and password. Figure 5.10. The browser prompts for a username and a password.
|
/xhtml1/DTD/xhtml1-transitional.dtd">
...
<?php
}
?>