What does header('HTTP/1.0 401 Unauthorized') do?

Question

In book of Welling and Thomson write follow code

if (($_SERVER['PHP_AUTH_USER'] != 'user') ||
($_SERVER['PHP_AUTH_PW'] != 'pass')) {
// visitor has not yet given details, or their
// name and password combination are not correct
header('WWW-Authenticate: Basic realm="Realm-Name"');
header('HTTP/1.0 401 Unauthorized');
echo "<h1>Go Away!</h1>
<p>You are not authorized to view this resource.</p>";
} else {
// visitor has provided correct details
echo "<h1>Here it is!</h1>
<p>I bet you are glad you can see this secret page.</p>";
}

What does header('HTTP/1.0 401 Unauthorized') do? I remove this line and script worked properly.

Why this code worked without this line?

Answer 1

The HTTP 401 header tells your browser that you are not authorized to view that page, which would be the expected situation if you attempted to access a protected resource by were not logged in.

Note: ALWAYS include die(); or exit; after sending a header like that, as bots don't necessarily obey the header instructions and you want to terminate the script before they see the protected content. This goes for redirects especially.

Answer 2

The HTTP header that is being sent by that command is HTTP/1.0 401 Unauthorized which tells the browser that it needs to ask for a username or password to view the page.

Answer 3

header("HTTP/1.0 401 Unauthorized"); sends the 401 status code of unauthorized to the server saying that you are not permitted to view the page. Use die or exit instead of echo to stop other code from being executed.