...

...

@@ -13,8 +13,8 @@

13

13

<varname>PHP_AUTH_USER</varname>, <varname>PHP_AUTH_PW</varname>,

14

14

and <varname>AUTH_TYPE</varname> set to the user name, password and

15

15

authentication type respectively. These predefined variables are found

16

-

in the <varname>$_SERVER</varname> array. Both "Basic" and "Digest"

17

-

(since PHP 5.1.0) authentication methods are supported. See the

16

+

in the <varname>$_SERVER</varname> array. <emphasis>Only</emphasis>

17

+

the "Basic" authentication method is supported. See the

18

18

<function>header</function> function for more information.

19

19

</simpara>

20

20

...

...

@@ -43,73 +43,6 @@ if (!isset($_SERVER['PHP_AUTH_USER'])) {

43

43

</example>

44

44

</para>

45

45

46

-

<para>

47

-

<example>

48

-

<title>Digest HTTP Authentication example</title>

49

-

<para>

50

-

This example shows you how to implement a simple Digest HTTP

51

-

authentication script. For more information read the <link

52

-

xlink:href="&url.rfc;2617">RFC 2617</link>.

53

-

</para>

54

-

<programlisting role="php">

55

-

<![CDATA[

56

-

<?php

57

-

$realm = 'Restricted area';

58

-

59

-

//user => password

60

-

$users = array('admin' => 'mypass', 'guest' => 'guest');

61

-

62

-

63

-

if (empty($_SERVER['PHP_AUTH_DIGEST'])) {

64

-

header('HTTP/1.1 401 Unauthorized');

65

-

header('WWW-Authenticate: Digest realm="'.$realm.

66

-

'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');

67

-

68

-

die('Text to send if user hits Cancel button');

69

-

}

70

-

71

-

72

-

// analyze the PHP_AUTH_DIGEST variable

73

-

if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||

74

-

!isset($users[$data['username']]))

75

-

die('Wrong Credentials!');

76

-

77

-

78

-

// generate the valid response

79

-

$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);

80

-

$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);

81

-

$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);

82

-

83

-

if ($data['response'] != $valid_response)

84

-

die('Wrong Credentials!');

85

-

86

-

// ok, valid username & password

87

-

echo 'You are logged in as: ' . $data['username'];

88

-

89

-

90

-

// function to parse the http auth header

91

-

function http_digest_parse($txt)

92

-

{

93

-

// protect against missing data

94

-

$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);

95

-

$data = array();

96

-

$keys = implode('|', array_keys($needed_parts));

97

-

98

-

preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);

99

-

100

-

foreach ($matches as $m) {

101

-

$data[$m[1]] = $m[3] ? $m[3] : $m[4];

102

-

unset($needed_parts[$m[1]]);

103

-

}

104

-

105

-

return $needed_parts ? false : $data;

106

-

}

107

-

?>

108

-

]]>

109

-

</programlisting>

110

-

</example>

111

-

</para>

112

-

113

46

<note>

114

47

<title>Compatibility Note</title>

115

48

<para>

...

...

@@ -118,7 +51,7 @@ function http_digest_parse($txt)

118

51

uppercase "B", the realm string must be enclosed in double (not single) quotes,

119

52

and exactly one space should precede the <emphasis>401</emphasis> code in the

120

53

<emphasis>HTTP/1.0 401</emphasis> header line. Authentication parameters have

121

-

to be comma-separated as seen in the digest example above.

54

+

to be comma-separated.

122

55

</para>

123

56

</note>

124

57

...

...

@@ -138,17 +71,6 @@ function http_digest_parse($txt)

138

71

for now.

139

72

</para>

140

73

141

-

<simpara>

142

-

In order to prevent someone from writing a script which

143

-

reveals the password for a page that was authenticated through a

144

-

traditional external mechanism, the PHP_AUTH variables will not be

145

-

set if external authentication is enabled for that particular

146

-

page and &safemode; is enabled. Regardless,

147

-

<varname>REMOTE_USER</varname> can be used

148

-

to identify the externally-authenticated user. So, you can use

149

-

<varname>$_SERVER['REMOTE_USER']</varname>.

150

-

</simpara>

151

-

152

74

<note>

153

75

<title>Configuration Note</title>

154

76

<para>

...

...

@@ -223,13 +145,6 @@ if (!isset($_SERVER['PHP_AUTH_USER']) ||

223

145

be set to <literal>0</literal> (the default value).

224

146

</simpara>

225

147

</note>

226

-

<note>

227

-

<para>

228

-

If <link linkend="ini.safe-mode">safe mode</link> is enabled, the

229

-

uid of the script is added to the <literal>realm</literal> part of

230

-

the <literal>WWW-Authenticate</literal> header.

231

-

</para>

232

-

</note>

233

148

234

149

</chapter>

235

150

236

151