Skip to content
Advertisement

If HTTP Authentification exists, why custom form to authenticate?

If HTTP authentification exists, like this:

if ($_SERVER['PHP_AUTH_USER'] === '...' &&
    $_SERVER['PHP_AUTH_PW'] === '...') {
  // Process user login.
} else {
  header('WWW-Authenticate: Basic realm="Zone");
  header('HTTP/1.0 401 Unauthorized');
  die("Please enter username and password.");
}

Why google, facebook, everyone is using custom forms to perform authentifications? Am I missing something here?

Advertisement

Answer

The PHP_AUTH_USER and PHP_AUTH_PW server variables are by default set when the server is configured with basic authentication and if the client provides credentials through an authentication header.

Sites generally don’t use basic authentication because its user experience in browsers is … horrific.

Using a login form and a POST handler that processes the form, sites can provide a user-friendly, customized login experience.

User contributions licensed under: CC BY-SA
2 People found this is helpful
Advertisement