From 3671b425c901ec57a48504b23aa32c3d03c59eab Mon Sep 17 00:00:00 2001 From: Nuno Lopes Date: Sun, 10 Apr 2005 09:56:39 +0000 Subject: [PATCH] document the HTTP Digest auth update the PHP_AUTH_* vars to reflect the IIS change git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@184058 c90b9560-bf6c-de11-be94-00142212c4b1 --- appendices/reserved.xml | 24 +++++++++++++---- features/http-auth.xml | 59 +++++++++++++++++++++++++++++++++++++---- 2 files changed, 73 insertions(+), 10 deletions(-) diff --git a/appendices/reserved.xml b/appendices/reserved.xml index bc687ed43c..10b07a1f07 100755 --- a/appendices/reserved.xml +++ b/appendices/reserved.xml @@ -1,5 +1,5 @@ - + List of Reserved Words @@ -685,12 +685,25 @@ + + 'PHP_AUTH_DIGEST' + + + When running under Apache as module doing Digest HTTP authentication + this variable is set to the 'Authorization' header sent by the + client (which you should then use to make the appropriate + validation). + + + + 'PHP_AUTH_USER' - When running under Apache as module doing HTTP authentication this - variable is set to the username provided by the user. + When running under Apache or IIS (ISAPI on PHP 5) as module doing + HTTP authentication this variable is set to the username provided by + the user. @@ -699,8 +712,9 @@ 'PHP_AUTH_PW' - When running under Apache as module doing HTTP authentication this - variable is set to the password provided by the user. + When running under Apache or IIS (ISAPI on PHP 5) as module doing + HTTP authentication this variable is set to the password provided by + the user. diff --git a/features/http-auth.xml b/features/http-auth.xml index 561d4b6fce..88c93e8aa8 100644 --- a/features/http-auth.xml +++ b/features/http-auth.xml @@ -1,5 +1,5 @@ - + HTTP authentication with PHP @@ -16,9 +16,9 @@ and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER and - $HTTP_SERVER_VARS arrays. Only "Basic" authentication - is supported. See the header function for more - information. + $HTTP_SERVER_VARS arrays. Both "Basic" and "Digest" + (since PHP 5.1.0) authentication methods are supported. See the + header function for more information. @@ -37,7 +37,7 @@ - HTTP Authentication example + Basic HTTP Authentication example Hello {$_SERVER['PHP_AUTH_USER']}.

"; echo "

You entered {$_SERVER['PHP_AUTH_PW']} as your password.

"; } +?> +]]> +
+
+
+ + + + Digest HTTP Authentication example + + This example shows you how to implement a simple Digest HTTP + authentication script. For more information read the RFC 2617. + + + password +$users = array('admin' => 'mypass', 'guest' => 'guest'); + + +if (!isset($_SERVER['PHP_AUTH_DIGEST'])) { + header('HTTP/1.1 401 Unauthorized'); + header('WWW-Authenticate: Digest realm="'.$realm. + '" qop="auth" nonce="'.uniqid().'" opaque="'.md5($realm).'"'); + + die('Text to send if user hits Cancel button'); +} + +// analise the PHP_AUTH_DIGEST variable +preg_match('/username="(?P.*)",\s*realm="(?P.*)",\s*nonce="(?P.*)",\s*uri="(?P.*)",\s*response="(?P.*)",\s*opaque="(?P.*)",\s*qop=(?P.*),\s*nc=(?P.*),\s*cnonce="(?P.*)"/', $_SERVER['PHP_AUTH_DIGEST'], $digest); + +if (!isset($users[$digest['username']])) + die('Username not valid!'); + + +// generate the valid response +$A1 = md5($digest['username'] . ':' . $realm . ':' . $users[$digest['username']]); +$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$digest['uri']); +$valid_response = md5($A1.':'.$digest['nonce'].':'.$digest['nc'].':'.$digest['cnonce'].':'.$digest['qop'].':'.$A2); + +if ($digest['response'] != $valid_response) + die('Wrong Credentials!'); + +// ok, valid username & password +echo 'Your are logged in as: ' . $digest['username']; + ?> ]]>