Welcome Guest, Not a member yet? Register   Sign In
Basic 401 Authentication Library
#1

[eluser]Unknown[/eluser]
I just finished up a portfolio site for a friend, and could not find an uber simple codeigniter library or helper that just leveraged basic authentication. I didn't want to manage users, registrations, and so forth when all we needed was to make sure only he and I could access the control panel.

Here's the code. Suggestions are welcome, this site is my first CI project and one of my first PHP projects.
Code:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

//
//  Basic401Auth
//  Version 0.1
//  Coded by Nathan Koch on 12-23-2008
//  Just add
//
//      $this->load->library('basic401auth');
//      $this->Basic401Auth->require_login()
//
//  anywhere you need basic authentication

class Basic401Auth
{

    function __construct()
    {
        $this->ci =& get_instance();
    }

    function headers_401()
    {

        $user = $this->ci->config->item('admin_user');
        $password = $this->ci->config->item('admin_pw');

        if ( !isset($_SERVER['PHP_AUTH_USER']) )
        {
            header('WWW-Authenticate: Basic realm="SMF Studios"');
            header('HTTP/1.0 401 Unauthorized');
            echo("Please enter a valid username and password");
            exit();        
        }
        else if ( ($_SERVER['PHP_AUTH_USER'] == $user) && ($_SERVER['PHP_AUTH_PW'] == $password) )
        {
            return true;
        }
        else
        {
            echo("Please enter a valid username and password");
            exit();
        }
    }

    function require_login()
    {
        $logged_in = $this->ci->session->userdata('logged_in');
        if ( $logged_in != TRUE)
        {
            $this->headers_401();
            $this->ci->session->set_userdata( array('logged_in' => TRUE) );
        }
    }
}

?>
#2

[eluser]Unknown[/eluser]
Just a quick add on, as I didn't spell it out in the comment block at the top. Add:

Code:
$config['admin_user'] = 'yourusername';
$config['admin_pw'] = 'yourpassword';

to config.php.
#3

[eluser]cfraz[/eluser]
Nice and simple - I'm doing something similar for Windows Integrated Authentication on an intranet application that runs on IIS.

Take a look at the CI input library.

Code:
$this->input->server('PHP_AUTH_USER');

filters input, returns false if it's not set, and optionally screens xss content. I'm not sure but that might be a vulnerability for PHP_AUTH_USER?

Also, I think that parameter is only returned for Apache running PHP module, so it limits applicability.
#4

[eluser]Iverson[/eluser]
Nice. I added this...This way the realm isn't hardcoded.

Code:
if(! $this->ci->config->item('realm'))
        {
            $realm = 'Pasword Protected Site';
        }
        else
        {
            $realm = $this->ci->config->item('realm');
        }

        if ( !isset($_SERVER['PHP_AUTH_USER']) )
        {
            header('WWW-Authenticate: Basic realm="' . $realm . '"');

        //The rest of the code below
#5

[eluser]BeingDefined[/eluser]
very nice! Will be using this in my future project(s). Thanks!
#6

[eluser]Nathan Pitman (Nine Four)[/eluser]
Thanks for this, just what I've been looking for. Smile
#7

[eluser]Iverson[/eluser]
Does this go in controllers or views?
#8

[eluser]Nathan Pitman (Nine Four)[/eluser]
In the controller. Smile
#9

[eluser]Unknown[/eluser]
Nice library.
But I think better to change below.

if ( !isset($_SERVER['PHP_AUTH_USER']) )

if ( !isset($_SERVER['PHP_AUTH_USER']) || !$_SERVER['PHP_AUTH_USER'] )

Please see below.

Code:
$ diff -u a/basic401auth.php b/basic401auth.php
--- a/basic401auth.php    2008-12-25 01:03:36.000000000 +0900
+++ b/basic401auth.php    2011-02-02 14:16:23.000000000 +0900
@@ -25,9 +25,18 @@
         $user = $this->ci->config->item('admin_user');
         $password = $this->ci->config->item('admin_pw');

-        if ( !isset($_SERVER['PHP_AUTH_USER']) )
+        if(! $this->ci->config->item('realm'))
         {
-            header('WWW-Authenticate: Basic realm="SMF Studios"');
+            $realm = 'Pasword Protected Site';
+        }
+        else
+        {
+            $realm = $this->ci->config->item('realm');
+        }
+
+        if ( !isset($_SERVER['PHP_AUTH_USER']) || !$_SERVER['PHP_AUTH_USER'] )
+        {
+            header('WWW-Authenticate: Basic realm="' . $realm . '"');
             header('HTTP/1.0 401 Unauthorized');
             echo("Please enter a valid username and password");
             exit();        
@@ -54,4 +63,4 @@
     }
}




Theme © iAndrew 2016 - Forum software by © MyBB