2

I am using the http authentication method to display a prompt box to the user as soon he lands on the webpage. As of now, when the link gets clicked, a prompt box opens. But I want the webpage to load and then the prompt box to load. Is there a way in which I can add an image to the background ?

if (($_SERVER['PHP_AUTH_USER'] != 'abcd') || ($_SERVER['PHP_AUTH_PW'] != 'abcd123')) 
{
    header('WWW-Authenticate: Basic Realm="Enter Your Credentials"');
    header('HTTP/1.0 401 Unauthorized');
}
    echo('You are valid');
finefoot
  • 7,307
  • 6
  • 35
  • 69
Priyanshu
  • 89
  • 1
  • 9
  • What's the reason to ask for password when there's nothing to be protected by it as you want to display webpage to user despite not entering valid credentials? – DevilaN Apr 04 '16 at 08:54
  • I am doing this for my local network. Specifically for in office purposes. But i don't want to show my users a blank page. – Priyanshu Apr 04 '16 at 08:56
  • Actually, your PHP would be sending the data to the browser regardless (see there is no else, die or return that would kill the execution and thus your secrets are in the request). The browser is just not rendering it. What is your reason to implement Basic HTTP authentication instead of, let's say, sessions? – César Apr 04 '16 at 09:03

2 Answers2

3

For Basic HTTP Authentication, you have to send the authentication request in the HTTP header. For more information, have a look at these White papers: RFC 2617 and RFC 7235 (further explanation in the comments to this answer). Naturally, this doesn't allow for any other data before (like "background HTML"), as you can also read in the PHP manual on the header() function:

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP.

I'd recommend using another form of authentication, like Sessions for example. You could have a look at this guide.

However, if you really have to use Basic HTTP Authentication and want to display something in the background, a workaround would be the usage of two files and <iframe>:

background.html will show your desired "background HTML" and is the file you will open in your browser:

<h1>Beautiful background</h1>
<!-- you can put your background HTML code here -->

<iframe src="login.php" />

login.php has to contain the PHP code for the Basic HTTP Authentication, just like the code you used in the example in your question above.

Community
  • 1
  • 1
finefoot
  • 7,307
  • 6
  • 35
  • 69
  • RFC 2617 has been updated by [RFC 7235](https://tools.ietf.org/html/rfc7235) for quite a while now. Please use that as a reference. – DaSourcerer Apr 04 '16 at 11:14
  • True, but not only. `WWW-Authenticate` is valid in all version of HTTP/1.x and RFC 7235 is giving the better overview, IMHO. It needs very special reasons to use HTTP/1.0 in this day and age anyways ;) – DaSourcerer Apr 04 '16 at 11:25
  • @muschL You gave me a perfect example to my problem. It is working fine now. Thank you for your help :). – Priyanshu Apr 04 '16 at 11:38
1

No, you cannot send a background image using the Basic HTTP Authentication method.

But you can display an individually styled page with some fancy grafics and a simple name / password form. After submitting the right credentials, store the user in the session. That means you have to check the session on every page.

Harald Ernst
  • 346
  • 4
  • 9