Best web site - 477Chapter 24Sessions, Cookies, and HTTP($PHP_AUTH_PW == password )) //see
477Chapter 24Sessions, Cookies, and HTTP($PHP_AUTH_PW == password )) //see caution belowprint( The realm is yours
); elseprint( We don t need your kind
); } ?> If we visit this script for the first time (and are using the appropriate browser and server versions), we will get a pop-up window. After the user enters the information into the pop-upbox, the script is automatically called again with new variables $PHP_AUTH_USER(set to the user string entered), $PHP_AUTH_PASSWD(set to the password string entered), and$PHP_AUTH_TYPE(which will be Basicuntil such time as another type of authentication issupported). The nice thing about this is that these variables will continue to be set by thebrowser on each request, and you do not need to do anything in your scripts to propagatethem one verification of identity per session should suffice. The preceding code is the bare minimum necessary to demonstrate the HTTP authenticationmechanism and is not a model for how user/password combinations should really be veri- fied! Our code fragment simply compares the values of the variables delivered to hard-codedstrings, which is a bad idea for several reasons. To make this part of a real verification system, you probably want to compare the result of encrypting the password to a similarly encryptedversion in a database or password file. See Chapter 29 for more on encryption and real secu- rity measures. In addition to redirection and authentication, the capability to send real HTTP headers offersfiner control of many aspects of the HTTP client/server relationship, which usually are set bydefault. For example, you can explicitly set the expiration and caching behavior of your page, or send return status codes that tell the client whether whatever is returned should be con- sidered a success or not. Because PHP is just acting as a channel to the underlying HTTP pro- tocol, most of these techniques are beyond the scope of PHP documentation and this book. The WWW-Authenticatemechanism works only under the Apache Web Server, with PHPas a module. It does not currently work in the CGI version or under IIS/PWS. Header gotchasAs we have said innumerable times by now, the header()function is subject to the samerestriction as the setcookie()function: No headers may be sent after regular page contentis generated, unless you are using a release of PHP4 or 5 that has output buffering enabled. More generally, be aware that using the header capability requires not only some knowledgeof the HTTP protocols, but also some knowledge of the extent to which different browser ver- sions conform to them. Unless you are writing for a known population of users that all use thesame browser, you will probably need to do more cross-browser testing than with vanillaHTML-generating scripts. Most browsers can be set to warn you whenever they are about to accept a cookie. Althoughthis can be annoying when viewing benign yet cookie-intensive sites, it can also be a greatdebugging tool when writing your own cookie-setting code. Mozilla browsers also feature atool called Cookie Manager that lists cookies from each site and allows you to manuallydelete them, which is also handy for debugging. TipNoteCaution28