Display unauthorised page when user clicks 'cancel' (html/php)

Question

I've recently started learning html and php. I'd appreciate it if someone could point me in the right direction: I've made a basic webpage that has basic authentication (to enter it). When the user clicks the cancel button, I would like the browser to do something! All it does is, remain on the page it was on (before the user attempted to access my page). I guess I would like it to display the 401 error. Is the only way to do this, to insert text after:

header('www-authenticate: basic');

?

I've tried redirecting 401 errors in the .htaccess file, though it would seem that the 401 error never occurs (although the server access log says that there was a 401 error). When I redirected my 404 error using .htaccess, it worked.

This is the code that I've got for the authentication:

<?php
$user = array('Michael' => 'Mike');
$pass = array('Michael' => 'fish');
$userSuccess = false;
$passSuccess = false;

if(!isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['PHP_AUTH_PW']))
{
    header('http/1.1 401 Unauthorized');
    header('www-authenticate: basic');
    exit;
}
else
{
    foreach($user as $value)
        if($_SERVER['PHP_AUTH_USER'] == $value)
            $userSuccess = true;
    foreach($pass as $value)
        if($_SERVER['PHP_AUTH_PW'] == $value)
            $passSuccess = true;

    if(!$userSuccess || !$passSuccess)
    {
        header('http/1.1 401 Unauthorized');
        header('www-authenticate: basic');
        exit;
    }
}
?>

Also, if I've done anything stupid in my code, feel free to point it out.

I thought that since I sent the 401 header to the server, and the server logged having received it, it would've displayed some text say, 'Error 401: Unauthorised Access' or something along those lines.

Thanks.

Answer 1

You're going on the right way. I'll do just some changes on your code:

$user = array('Mike' => array('Michael', 'fish'));

if(!isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['PHP_AUTH_PW']))
{
    header('http/1.1 401 Unauthorized');
    header('www-authenticate: basic');
    exit;
}
else
{
    $input_user = $_SERVER['PHP_AUTH_USER'];
    $input_pw = $_SERVER['PHP_AUTH_PW'];

    if($user[$input_user][1] != $input_pw)
    {
        header('http/1.1 401 Unauthorized');
        header('www-authenticate: basic');
        exit;
    }
}

echo "Hi, " . $user[$input_user][0];

First of all I've changed your users array layout on this layout to this:

Array
(
    [Mike] => Array
        (
            [0] => Michael
            [1] => fish
        )

)

Read for further info Multidimensional Arrays.

Secund, is your username, then it will have another array with name and password of the user. So you'll not have to user foreach to match your username and pass. BTW, the way you done before your script will allow any user to access with another users pass. If you have other user foo and try user = foo and pass = fish it will gain the access.

Third thing is that you don't need to use $userSuccess and $passSuccess no more. Just to decrease code lenght.

Then I associate two vars to the _SERVER vars, to make easy their use. So you can match then with this sentence: $user[$input_user][1] != $input_pw.

I hope this can helps you.

Answer 2

you need to serve the browser with the content for 401. This is not done automatically. The 401 header you send is never really seen by the user. Think of it more as a status flag than content. Programs use that header to detect certain issues and act upon them (i.e. a download manager may detect the 404 header which then shows the download line in its window with a red background and error symbol).

In conclusion then, you need to print the error to the browser yourself