PHP 身份验证

HTTP 身份验证向客户端发送特殊的 HTTP 标头,并要求提供身份验证代码以访问该页面。

它是一种 PHP 内置方法,用于验证用户是否执行特定任务。PHP 有两种 HTTP 身份验证方法,BasicDigest

HTTP 身份验证将生成一个弹出窗口来询问身份验证信息。

它使用数组 $_SERVER 变量、PHP_AUTH_USERPHP_AUTH_PW 对用户进行身份验证,并使用 AUTH_TYPE 设置身份验证类型。

在 PHP 中使用基本 HTTP 身份验证对用户进行身份验证

基本 HTTP 身份验证使用非加密 PHP base64 编码;这就是为什么它应该只在提供 HTTPS 等安全性时使用。


if( ( isset($_SERVER['PHP_AUTH_USER'] ) && ( $_SERVER['PHP_AUTH_USER'] == "admin" ) ) AND ( isset($_SERVER['PHP_AUTH_PW'] ) && ( $_SERVER['PHP_AUTH_PW'] == "password" )) )
    echo(" Hello ".$_SERVER['PHP_AUTH_USER']."! <br>\n");
    // These headers will cause the browser to ask for authentication information
    header('WWW-Authenticate: Basic realm="This page is only authorized to registered users"');
    header('HTTP/1.0 401 Unauthorized');
    //This text will be shown after several failed attempts, or you cancel the pop-up box.
    echo"Protected by HTTP Authentication <br>";
	echo "Use <b>admin</b> for the username, and <b>password</b> for the password to enter";



用户名是 admin,密码是 password


PHP 身份验证

If the information is correct:
"Hello admin!"
If the information is failed:
"Protected by HTTP Authentication"
"Use admin for the username, and password for the password to enter."

在 PHP 中使用 Digest HTTP 身份验证对用户进行身份验证


此信息包括用户信息、HTTP 方法、服务器提供的 nonce 值和请求的 URL;它比基本 HTTP 身份验证更安全,因为信息是加密的。

// User authentication info
$auth_info = array('user1' => 'pass1', 'user2' => 'pass2');
// First of all check PHP_AUTH_DIGEST variable, if it is empty the header will redirect the page to pop up box.
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
    header('WWW-Authenticate: Digest realm="Restricted area",qop="auth",nonce="'.uniqid().'",opaque="'.md5("Restricted area"));
    header('HTTP/1.1 401 Unauthorized');
    exit('You cancelled the authentication');
// it is required to check the Digest Authentication Variable first before converting the information to md5
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($auth_info[$data['username']])){
    exit('The authentication information entered is not correct!');
// generating the valid authentication response using the client info and server request method
$auth_hash1 = md5($data['username'] . ':Restricted area:' . $auth_info[$data['username']]);
$auth_hash2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$auth_response = md5($auth_hash1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$auth_hash2);
if ($data['response'] != $auth_response){
    exit('The authentication information entered is not correct!');
// if authentication response matches the info
    echo 'Welcome ' . $data['username'].' you are an authenticated user';
// The function below is from the official PHP manual, It is used to parse the HTTP digest.
function http_digest_parse($txt)
    $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
    $data = array();
    $keys = implode('|', array_keys($needed_parts));
    preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
    foreach ($matches as $m) {
        $data[$m[1]] = $m[3] ? $m[3] : $m[4];
    return $needed_parts ? false : $data;

上面的代码显示了应用摘要 HTTP 身份验证方法的过程。你可以使用 PHP 手册中的 http_digest_parse() 函数并使用它来解析 HTTP Digest 身份验证。


有两个密码,分别是 pass1pass2。你可以输入任何信息并登录。


PHP 身份验证

If the information is correct:
"Welcome admin you are an authenticated user"
If the information is failed:
"The authentication information entered is not correct!"
If you cancel the pop up:
"You cancelled the authentication"