PHP: Using cURL with Basic HTTP Authentication.

This is a short PHP tutorial on how to use cURL to make a Basic Access Authentication request. In this post, I will show you how to configure PHP’s cURL functions to access a web resource that is protected by basic HTTP authentication.

401 Unauthorized.

If you send a cURL request to a URL that is protected by HTTP authentication, the response will probably look something like this:

401 Unauthorized: You need a valid user and password to access this content.

The issue here is that the resource is protected and you did not provide a valid username and password. As a result, the server responded with a 401 Unauthorized response.

Using the CURLOPT_USERPWD option.

To solve this, we can use the CURLOPT_USERPWD option. This option allows us to tell cURL what username and password to use while making the request.

An example of it being used:

Pretty simple, right?

In the example above, we set the username and password using the CURLOPT_USERPWD option. As a result, our cURL client will end up sending the following header:

A few notes:

  • In some cases, the resource in question might be expecting a POST request. Therefore, you might need to change the request above from a GET request to a POST request.
  • The CURLOPT_USERPWD option sends the username and password combination in a base64 format. This means that a combination of “MyUsername:MyPassword” will become “TXlVc2VybmFtZTpNeVBhc3N3b3Jk”. However, it is important to note that base64 does not make this request any more secure. Therefore, it is advisable that you configure both the cURL client and the server to use SSL. This is to prevent man-in-the-middle attacks.
  • Other options may need to be configured depending on your situation. In other words, the code above might not work “straight out of the box”.

Using CURLOPT_HTTPHEADER.

Alternatively, you can use the CURLOPT_HTTPHEADER, which allows you manually create headers. In the example below, we manually set the Content-Type and Authorization headers:

The code above should be used in lieu of the CURLOPT_USERPWD option.

Hopefully, you found this guide to be useful!

Facebook Comments