NYCPHP Meetup

[csnyder]

While it's true that auth over SSL is the ideal situation, for sites
on a virtual host I find HTTP Digest Authentication to be an
acceptable compromise, and not really any harder to set up in an
.htaccess context.

But I think this is a PHundamental because of PHP's built-in support
for requesting a username and password via Basic Authentication. The
idea is that you put:

   header( 'WWW-Authenticate: basic realm="Members Only" ' );
   header( 'HTTP/1.0 401 Unauthorized' );

At the top of your script, which causes the browser to cough up one of
those little username/password dialogs. On submit, the request comes
back to your script with $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW'], as documented in the manual here:
http://www.php.net/manual/en/features.http-auth.php

So now you can look those up in a MySQL table or something (or DBM if
you like) and allow access or not.

I've always thought it was a silly feature -- why not just code a
login form? But I can see the utility for intranet applications, where
you don't need it to be pretty and you don't need all the "Forgot your
password?" and "Register here" stuff.