php digest authentication

November 16th, 2006 by admin

some php scripts (like oscommerce) do not have an user authentication.
therefor i google a little bit and found a nice small script from Paul James (thank you paul).
this script does an http digest authentication. this digest should fit all your needs for security and can replace the silly .htaccess.
i optimized the php class a little bit and make it much easier to use.
also i add the "stale" value wich is very important for the usability.
here is how to use it.

add this to your unprotected script (just at the top)

PLAIN TEXT
PHP:
  1. require('authentication.php');
  2. $auth = new HTTPDigest();
  3. $auth->baseURL = '/';
  4. $auth->nonceLife = 60;
  5. $auth->opaque = 'give me a random string';
  6. $auth->privateKey = 'thIS is my privat3 k3Y -> change me';
  7. $auth->realm = 'please login to '.$_SERVER['SERVER_NAME'];
  8.  
  9. //add the user user/pass
  10. $auth->passwordsHashed = false;
  11. $auth->add_user('user','pass');
  12. //or (it is mostly the same, but short)
  13. //$auth->add_user('user','pass',true);
  14.  
  15. //an better way is the hashed pass
  16. // you get the hashed pass with echo $auth->crypt_pass('user','pass');
  17. // it should look like this
  18. //$auth->add_user('user','9d1414171dff4c587870eac7da3fb929');
  19.  
  20. //thats it and of cause you can add more than one user
  21. //$auth->add_user('user1','pass1');
  22. //$auth->add_user('user2','pass2');
  23.  
  24. if (!$auth->authenticate())
  25. $auth->error();
  26. echo('Logged in as '.$auth->logged_in_user);

authentication.php:

PLAIN TEXT
PHP:
  1. /*
  3. orginal script @ http://www.peej.co.uk/projects/phphttpdigest.html
  4. Copyright (c) 2005 Paul James
  5. All rights reserved.
  7. Redistribution and use in source and binary forms, with or without
  8. modification, are permitted provided that the following conditions
  9. are met:
  10. 1. Redistributions of source code must retain the above copyright
  11. notice, this list of conditions and the following disclaimer.
  12. 2. Redistributions in binary form must reproduce the above copyright
  13. notice, this list of conditions and the following disclaimer in the
  14. documentation and/or other materials provided with the distribution.
  15. 3. Neither the name of the Paul James nor the names of its contributors
  16. may be used to endorse or promote products derived from this software
  17. without specific prior written permission.
  19. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" AND
  20. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  21. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  22. ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  23. FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24. DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  25. OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  26. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  27. LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  28. OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  29. SUCH DAMAGE.
  30. */
  31.  
  32. /** HTTP Digest authentication class modified by macosbrain*/
  33. class HTTPDigest
  34. {
  35. /** The Digest opaque value (any string will do, never sent in plain text over the wire).
  36. * @var str
  37. */
  38. var $opaque = 'enter a random string';
  39. /** The authentication realm name.
  40. * @var str
  41. */
  42. var $realm = 'please login';
  43. /**
  44. * flag to indicate the nonce was stale.
  45. *
  46. * @var bool
  47. */
  48. var $stale = false;
  49. /** The base URL of the application, auth data will be used for all resources under this URL.
  50. * @var str
  51. */
  52. var $baseURL = '/';
  53. /** Are passwords stored as an a1 hash (username:realm:password) rather than plain text.
  54. * @var str
  55. */
  56. var $passwordsHashed = true;
  57. /** The private key.
  58. * @var str
  59. */
  60. var $privateKey = 'please choose one';
  61. /** The life of the nonce value in seconds
  62. * @var int
  63. */
  64. var $nonceLife = 30;// the $stale option allows us to set the $nonceLife very low
  65.  
  66. function HTTPDigest()
  67. {
  68. $this->unique = $_SERVER['SERVER_SOFTWARE'].$_SERVER['HTTP_HOST'].$_SERVER['SERVER_NAME'];//not a static value
  69. }
  70.  
  71. function error()
  72. {
  73. header('HTTP/1.1 401 Unauthorized');
  74. die('User authentication is required. You must enter a valid login ID and password to access this resource or have to disable your proxy-server.');
  75. }
  76. /** Send HTTP Auth header */
  77. function send()
  78. {
  79. $str = 'WWW-Authenticate: Digest '.
  80. 'realm="'.$this->realm.'", '.
  81. 'domain="'.$this->baseURL.'", '.
  82. 'qop=auth, '.
  83. 'algorithm=MD5, '.
  84. 'nonce="'.$this->getNonce().'", '.
  85. 'opaque="'.$this->getOpaque().'"';
  86. if ($this->stale) {
  87. $str .= ', stale=true';
  88. }
  89. header($str);
  90. header('HTTP/1.0 401 Unauthorized');
  91. exit();
  92. }
  93. /** Get the HTTP Auth header
  94. * @return str
  95. */
  96. function add_user($username,$password,$hash_it=false)
  97. {
  98. if ($hash_it==true)
  99. $a1 = $this->crypt_pass($username,$password);
  100. else
  101. $a1 = $password;
  102. $this->user[$username] = $a1;
  103. }
  104.  
  105. function crypt_pass($user,$pass)
  106. {
  107. return md5($user.':'.$this->getRealm().':'.$pass);
  108. }
  109.  
  110. function getAuthHeader()
  111. {
  112. if (isset($_SERVER['Authorization']))
  113. {
  114. return $_SERVER['Authorization'];
  115. }
  116. elseif (function_exists('apache_request_headers'))
  117. {
  119. if (isset($headers['Authorization']))
  120. return $headers['Authorization'];
  121. }
  122. return NULL;
  123. }
  124. /** Authenticate the user and return username on success.
  125. * @param str[] users Array of username/password pairs
  126. * @return str
  127. */
  128. function authenticate()
  129. {
  130. $authorization = $this->getAuthHeader();
  131. if (!$authorization)
  132. {
  133. $this->send();
  134. //die('HTTP Digest headers not being passed to PHP by the server, unable to authenticate user');
  135. }
  136. if (substr($authorization, 0, 5) == 'Basic')
  137. die('You are trying to use HTTP Basic authentication but I am expecting HTTP Digest');
  138. if (preg_match('/username="([^"]+)"/', $authorization, $username) && preg_match('/nonce="([^"]+)"/', $authorization, $nonce) && preg_match('/response="([^"]+)"/', $authorization, $response) && preg_match('/opaque="([^"]+)"/', $authorization, $opaque) && preg_match('/uri="([^"]+)"/', $authorization, $uri))
  139. {
  140. $username = $username[1];
  141. $requestURI = $_SERVER['REQUEST_URI'];
  142. if (strpos($requestURI, '?') !== FALSE)
  143. { // hack for IE which does not pass querystring in URI element of Digest string or in response hash
  144. $requestURI = substr($requestURI, 0, strlen($uri[1]));
  145. }
  146. if ( isset($this->user[$username]) && $opaque[1] == $this->getOpaque() && $uri[1] == $requestURI)
  147. {
  148. if($nonce[1] != $this->getNonce())
  149. {
  150. $this->stale = true;
  151. $this->send();
  152. }
  153. $passphrase = $this->user[$username];
  154. if ($this->passwordsHashed)
  155. $a1 = $passphrase;
  156. else
  157. $a1 = $this->crypt_pass($username,$passphrase);
  158.  
  159. $a2 = md5($_SERVER['REQUEST_METHOD'].':'.$requestURI);
  160. if (preg_match('/qop="?([^,\s"]+)/', $authorization, $qop) && preg_match('/nc=([^,\s"]+)/', $authorization, $nc) && preg_match('/cnonce="([^"]+)"/', $authorization, $cnonce))
  161. $expectedResponse = md5($a1.':'.$nonce[1].':'.$nc[1].':'.$cnonce[1].':'.$qop[1].':'.$a2);
  162. else
  163. $expectedResponse = md5($a1.':'.$nonce[1].':'.$a2);
  164. if ($response[1] == $expectedResponse)
  165. {
  166. $this->logged_in_user = $username;
  167. return TRUE;
  168. }
  169. }
  170. else
  171. $this->send();
  172. }
  173. return NULL;
  174. }
  175. /** Get nonce value for HTTP Digest.
  176. * @return str
  177. */
  178. function getNonce() {
  179. $time = ceil(time() / $this->nonceLife) * $this->nonceLife;
  180. $nonce = date('Y-m-d H:i', $time).':'.$_SERVER['REMOTE_ADDR'].':'.$this->privateKey.':'.$_SERVER['HTTP_USER_AGENT'].$this->unique;
  181. return md5($nonce);
  182. }
  183. /** Get opaque value for HTTP Digest.
  184. * @return str
  185. */
  186. function getOpaque()
  187. {
  188. return md5($this->opaque.$this->unique);
  189. }
  190. /** Get realm for HTTP Digest taking PHP safe mode into account.
  191. * @return str
  192. */
  193. function getRealm()
  194. {
  195. if (ini_get('safe_mode')) {
  196. return $this->realm.'-'.getmyuid();
  197. } else {
  198. return $this->realm;
  199. }
  200. }
  201. }

Posted in coding, php |

5 Responses

  1. Al Says:
    August 24th, 2007 at 20:14

    Did you ever get it to work with safari or opera?

    Thanks..

  2. admin Says:
    August 28th, 2007 at 12:53

    i know that it works with the most common browser(ie and firefox). with a small bugfix it will also work with the opera browser.

    i don’t got a mac right here so i can not test it with the safari browser.

  3. David Hendry Says:
    November 8th, 2007 at 00:29

    Hi the script works fine with ie7 but not ie6. I think this is because the username and password and not passed in the xmlHTTPRequest which remains undefined when using ie6 resulting in the $auth error condition. Any ideas?

    Thanks

    David

  4. max Says:
    Oktober 6th, 2008 at 07:07

    hi

    I was trying to get digest authentication working on lighttpd server while processing response in javascript. But whenever server replies with 401 browser pops up login box which i dont want. Is there any way that i can get nonce & realm from server & pass it to javascript instead of browser….

  5. abhi Says:
    November 13th, 2008 at 12:24

    hi admin,

    can you let me know what the fix that will make it work with Opera? I am looking for a solution for this problem on opera.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.