Implementing

Authentication with
PHP and MySQL
Khalilullah Akbari
Khalil.akbari18@gmail.com
+93 729908855
Identifying visitors
The best way is to use combination of IP address and COOKIES. Saving just IP address
in not enough because it can change often when user is using proxy.

You can save both values to database table visitor if there are none visitor with these
values and so you can say that it is unique new visitor. If there is visitor with one of
these values then it is returning visitor and so you should update your visits table.
Identifying visitors
function getUserIP() {
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Identifying visitors
function getUserCookie() {
if(isset($_COOKIE['visited'])) {
// cookie is already set
} else {
list($usec, $sec) = explode(" ", microtime()); // Micro time!
$expire = time()+60*60*24*30; // expiration after 30 day
setcookie("visited", "".md5("".$sec.".".$usec."")."", $expire, "/", "", "0");
}
return $_COOKIE['visited'];
}
Implementing Access Control
User access control shows relevant information to user. Only admin or super user has all the
rights to see, insert, update and delete information from system.
Give access to different feature depend on user type.

Start a session:
<?php
// Start the session
session_start();

$_SESSION["favcolor"] = "green";
?>
Basic authentication in PHP
HTTP Basic Access Authentication. This involves adding a header that contains your username and
password. The proper format for the header is:

Authorization: Basic XXXXXX

Where XXXXXX is your credentials in the form of username:password with base64 encoding.

PHP automatically decodes and splits the username and password into special named constants:

PHP_AUTH_USER with the username as a plain-text string

PHP_AUTH_PW with the password as a plain-text string
Basic authentication in PHP
Check if user entered their username:
$_SERVER['PHP_AUTH_USER’]

Check the password:

$_SERVER['PHP_AUTH_PW’]

Testing with curl

curl --user my_username:my_password http://localhost:8000/
<?php
if(!isset($_SERVER['PHP_AUTH_USER'])){
header('WWW-Authenticate: Basic realm="My Website"');
header('HTTP/1.0 401 Unauthorized');
echo "<p>Access denied</p>";
exit;
}

if($_SERVER['PHP_AUTH_USER'] == "user" && $_SERVER['PHP_AUTH_PW'] == "@pass"){

echo "<p>Access granted, correct username and password</p>";
}else{
header('WWW-Authenticate: Basic realm="My Website"');
header('HTTP/1.0 401 Unauthorized');
echo "<p>Access Denied</p>";
exit;
}
?>
Using mod_auth_mysql authentication
mode_auth_mysql store users in a text file, but it is not really practical for busy sites.
Installing mod_auth_mysql
1. Obtain the distribution archive for the module.
2. Unzip and untar the file
3. Change to mod_auth_mysql directory and run make and make install
4. Add this line to httpd.conf to dynamically load the module into the Apache.
1. LoadModule mysql_auth_module libexex/mod_auth_mysql.so
5. Create a database and a table in MySQL to contain the authentication information’s.
6. Add a line to your httpd.conf file to give mod_auth_mysql the parameters it need to
connent to MySQL.
1. Auth_MySQL_Info hostname user password
Creating Your own custom
authentication
After getting to session control chapter you will be able to write your own
authentication.
Thank You