Basic HTTP Authentication using PHP

HTTP authentication is a process of protecting web resources by providing a username and

password when making a request to a web resource. It uses the standard fields in the HTTP
header, so there is no need to store the passwords in external files. The web server is
responsible for handling the authentication.
HTTP Authentication Process
PHP provides superglobal variables for HTTP authentication.
The $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] contain the
username and password provided by the user for authentication. In this, the server responds to
the user with an unauthorized 401 response status, and it pop ups a dialog box and asks the
user to enter credentials for WWW-Authenticate. The user sends the credentials with an
Authenticate header. The server executes this and sends the webpage content to the browser.

Here, we create a PHP function authenticate(), that contains two sets of username and
password in a PHP array. This function accepts the entered username and password as
parameters of the user and matches them with the credentials stored in an array. If both
username and password match with the stored credentials, then returns TRUE, means the
user can access the web page content, otherwise it returns FALSE and again asks for
credentials.
<?php
function authenticate($user, $pass) {
$users = array('rocky' => '@12etp',
'mufasa' => 'Y1907JL');
if (isset($users[$user]) && ($users[$user] === $pass)) {
return true;
} else {
return false;
}
}
?>
Next, we create a condition that checks whether or not the authentication failed. It sets the
HTTP response header to 401 and asks for the credential again.
if (! authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
http_response_code(401);
header('WWW-Authenticate: Basic realm="Website"');
echo "Please enter a valid username and password.";
exit;
}
In the above code, the HTTP WWW-Authenticate response header defines the
authentication method that should be used to gain access to a resource. Here, it is sent along
with a 401 unauthorized response. When the browser sees the 401 header, it again pops up a
dialog box for username and password. The 'realm' is a security policy domain defined for a
web. It may contain any value to identify a secure area. The value in it will be displayed in
the dialog box.
Complete Code: Basic HTTP Authentication using PHP
<?php
function authenticate($user, $pass) {
$users = array('rocky' => '@12etp',
'mufasa' => 'Y1907JL');
if (isset($users[$user]) && ($users[$user] === $pass)) {
return true;
} else {
return false;
}
}

if (! authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
http_response_code(401);
header('WWW-Authenticate: Basic realm="Please Login"');
echo "Please enter a valid username and password.";
exit;
}
echo 'Welcome to this website';
?>
So, this is how we can secure our web page using simple, basic HTTP authentication. We can
also secure login forms, some important messages and much more using this.

How to Secure hash and salt for PHP passwords ?

Salting and hashing is a technique to store the password in a database. In cryptography,

salting means to add some content along with the password and then hashing it. So salt and
hash provide two levels of security. Salting always makes unique passwords i.e if there are
two same passwords, after salting, the resulting string will change. Salting used along with
hashing increases the level of security of the passwords.
Salting and hashing: In PHP, storing the password by salting and hashing is done by the
password_hash() method. This method takes three parameters and returns a final hash of
that password.
Syntax:
string password_hash( string $pass, int $algo, array $options )
Parameters:
 $pass: This parameter holds the password that is to be secured and stored in database.
 $algo: It specifies the hashing algorithm that is used to create the hash of $pass. Some
of the algorithm parameters in php are:
1. PASSWORD_DEFAULT: Use the bcrypt algorithm (default as of PHP 5.5.0). This
constant is designed to change over time as new and stronger algorithms are added
to PHP.
2. PASSWORD_BCRYPT: It is the CRYPT_BLOWFISH algorithm to create the
hash. The result in a 60 character string or give a FALSE on failure.
 $options: It is the salting part. It takes salt in form cost factor. It is optional, if left
empty, default cost is added to the string (It is 10 in most cases). Note that more cost
leads to a more protective password and thus puts heavy load on CPU.
Return Value: It returns the hashed password and FALSE on failure.
Example: This example is a demonstration of showing the password_hash(), making of
hash and comparing it.

<?php
$password = 'Password'; // Store the string into variable
// Use password_hash() function to create a password hash
$hash_default_salt = password_hash($password, PASSWORD_DEFAULT);
$hash_variable_salt = password_hash($password, PASSWORD_DEFAULT, array('cost' =>
9));
// Use password_verify() function to verify the password matches
echo password_verify('Password', $hash_default_salt ) . "<br>";
echo password_verify('Password', $hash_variable_salt ) . "<br>";
echo password_verify('Password123', $hash_default_salt );
?>
Output:
1
1
0

In this example, the password_verify() method is used to compare the hash created with the
string entered as a parameter. It takes the hash and the string to be compared as parameters
and return true if the password is correct else it returns false.