phpeveryday.com

In protecting web page with HTTP authentication, you have to deliver two header. header WWW-AUTHENTICATE tell to browser that an username and password needed. The other header is the status, which should be HTTP/1.0 401 Unauthorized. Compare this to the usual header, HTTP/1.0 200 OK.

Example, create a file named "protectHTTP.php" within www\test\phpsecurity. Enter following code:

<?php
  // test for username/password
  if(($_SERVER['PHP_AUTH_USER'] == "mia") AND
    ($_SERVER['PHP_AUTH_PW'] == "secret"))
  {
    echo("successfully!<br>\n");
  }
  else
  {
    //Send headers to cause a browser to request
    //username and password from user
    header("WWW-Authenticate: " .
    "Basic realm=\"PHPEveryDay's Protected Area\"");
    
	header("HTTP/1.0 401 Unauthorized");

    //Show failure text, which browsers usually
    //show only after several failed attempts
    print("This page is protected by HTTP ");
  }
?>

Point your browser to http://localhost/test/phpsecurity/protecthttp.php. You will get like this:

PHP creates the PHP_AUTH_USER and PHP_AUTH_PW elements of the _SERVER array automatically if the browser passes a username and password.