"RT @SoVeryBritish: Raising your eyebrows slightly to indicate the emotional roller coaster you're currently riding"

@ashleyford 1 day ago

"@Eva_Shaughnessy works for me..."

@ashleyford 2 weeks ago

Designer and web developer, Co-founder and Technical Director at Previously I worked at Spotify, MySpace and InMobi. Contact me - ashley[at]

PHP HTTP Authentication


Occasionally you may wish to make certain pages of your site only viewable to a select few. you can do this by using PHPs built in HTTP Authentication. The code needs to go right at the top of your php page so don’t get ‘Headers Already Sent’ errors. You can see that we’ve specified the username and password in the variables at the top of the script you can change these to reflect your own username and password.

You could easily make this authentication more dynamic by checking a database for the username and password. We can get whatever the user typed into the dropdown box by specifying the following superglobals.

<?php echo $_SERVER['PHP_AUTH_USER'];?>
<?php echo $_SERVER['PHP_AUTH_PW'];?>

The Code


$config['admin_username'] = "demo";
$config['admin_password'] = "demo";

if (!($_SERVER['PHP_AUTH_USER'] == $config['admin_username'] && $_SERVER['PHP_AUTH_PW'] == $config['admin_password'])) {
    header("WWW-Authenticate: Basic realm=" Demo Admin"");
    header("HTTP/1.0 401 Unauthorized");
	echo 'This is what happens if you press cancel';
// if the username and password match show the rest of the content


Be careful when coding the HTTP header lines. In order to guarantee maximum compatibility with all browsers, the keyword “Basic” should be written with an uppercase “B”, the realm string must be enclosed in double (not single) quotes, and exactly one space should precede the 401 code in the HTTP/1.0 401 header line.


Designer and web developer, Co-founder and Technical Director at Previously I worked at Spotify, MySpace and InMobi. Contact me - ashley[at]

Comments 12
  • Erwin
    Posted on

    Erwin Erwin

    Reply Author

    Where can i download the Demo code pls…

    Ty in advance

  • DD
    Posted on

    DD DD

    Reply Author

    Wouldn’t session variables for the username and password work also?

  • Ans
    Posted on

    Ans Ans

    Reply Author

    Yes old article, but YES very helpful :)

  • Nick Yeoman
    Posted on

    Nick Yeoman Nick Yeoman

    Reply Author

    Great article! I’ll have to research this further.

  • MexiChriS
    Posted on

    MexiChriS MexiChriS

    Reply Author

    This is exactly what I’ve been looking for! Was wondering how to go about it, always had an itch for this, like I had to know what was going on ‘behind the scene’ of it all. Thanks for the write up, enjoyed it a lot! :)

    – MexiChriS

  • Thomas Scholz
    Posted on

    Thomas Scholz Thomas Scholz

    Reply Author

    If you want to work with non ASCII chars (€ä£) in usernames and passwords, you need something better.

    I’ve written a standalone class for basic authentication which does this:

  • jkochis
    Posted on

    jkochis jkochis

    Reply Author

    One thing to note is that this method does not work when running PHP as CGI. This example details a workaround if that is the case for you.

  • Phil
    Posted on

    Phil Phil

    Reply Author

    Nice, how would you use other methods other than “Basic” – eg so that the string is encoded and users reading the script cannot reverse the password?

    • Ashley
      Posted on

      Ashley Ashley

      Reply Author

      @Phil you could use and MD5 hash so when the user types in the password you take that variable, convert it into an MD5 hash then compare it to see if it’s valid. instead of that you could connect it upto a database to store your passwords.

  • Ben
    Posted on

    Ben Ben

    Reply Author

    Cool! I always wonderd how to do that, just never looked it up. Thanks.