章 34. 用 PHP 进行 HTTP 认证

PHP 的 HTTP 认证机制仅在 PHP 以 Apache 模块方式运行时才有效，因此该功能不适用于 CGI 版本。在 Apache 模块的 PHP 脚本中，可以用 header() 函数来向客户端浏览器发送“Authentication Required”信息，使其弹出一个用户名／密码输入窗口。当用户输入用户名和密码后，包含有 URL 的 PHP 脚本将会加上预定义变量 PHP_AUTH_USER，PHP_AUTH_PW 和 AUTH_TYPE 被再次调用，这三个变量分别被设定为用户名，密码和认证类型。预定义变量保存在 $_SERVER 或者 $HTTP_SERVER_VARS 数组中。支持“Basic”和“Digest”（自 PHP 5.1.0 起）认证方法。请参阅 header() 函数以获取更多信息。

PHP 版本问题: Autoglobals 全局变量，包括 $_SERVER等，自 PHP 4.1.0 起有效，$HTTP_SERVER_VARS 从 PHP 3 开始有效。

以下是在页面上强迫客户端认证的脚本范例：

例 34-1. Basic HTTP 认证范例


<?php
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
  }
?>

例 34-2. Digest HTTP 认证范例

本例演示怎样实现一个简单的 Digest HTTP 认证脚本。更多信息请参考 RFC 2617。


<?php
$realm = 'Restricted area';

//user => password
$users = array('admin' => 'mypass', 'guest' => 'guest');


if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Digest realm="'.$realm.
           '" qop="auth" nonce="'.uniqid().'" opaque="'.md5($realm).'"');

    die('Text to send if user hits Cancel button');
}


// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
    !isset($users[$data['username']]))
    die('Wrong Credentials!');


// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);

if ($data['response'] != $valid_response)
    die('Wrong Credentials!');

// ok, valid username & password
echo 'Your are logged in as: ' . $data['username'];


// function to parse the http auth header
function http_digest_parse($txt)
{
    // protect against missing data
    $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
    $data = array();

    preg_match_all('@(\w+)=([\'"]?)([a-zA-Z0-9=./\_-]+)\2@', $txt, $matches, PREG_SET_ORDER);

    foreach ($matches as $m) {
        $data[$m[1]] = $m[3];
        unset($needed_parts[$m[1]]);
    }

    return $needed_parts ? false : $data;
}
?>
   </programlisting>
  </example>
 </para>

 <note>
  <title>兼容性问题</title>
  <para>
   在编写 HTTP
   标头代码时请格外小心。为了对所有的客户端保证兼容性，关键字“Basic”的第一个字母必须大写为“B”，分界字符串必须用双引号（不是单引号）引用；并且在标头行
   <emphasis>HTTP/1.0 401</emphasis> 中，在 <emphasis>401</emphasis> 前必须有且仅有一个空格。
  </para>
 </note>

 <para>
  在以上例子中，仅仅只打印出了 <varname>PHP_AUTH_USER</varname> 和
  <varname>PHP_AUTH_PW</varname>
  的值，但在实际运用中，可能需要对用户名和密码的合法性进行检查。或许进行数据库的查询，或许从 dbm 文件中检索。
 </para>

 <para>
  注意有些 Internet Explorer
  浏览器本身有问题。它对标头的顺序显得似乎有点吹毛求疵。目前看来在发送
  <literal>HTTP/1.0 401</literal> 之前先发送
  <emphasis>WWW-Authenticate</emphasis> 标头似乎可以解决此问题。
 </para>

 <simpara>
  自 PHP 4.3.0
  起，为了防止有人通过编写脚本来从用传统外部机制认证的页面上获取密码，当外部认证对特定页面有效，并且&safemode;被开启时，PHP_AUTH
  变量将不会被设置。但无论如何，<varname>REMOTE_USER</varname>
  可以被用来辨认外部认证的用户，因此可以用
  <varname>$_SERVER['REMOTE_USER']</varname> 变量。
 </simpara>

 <note>
  <title>配置说明</title>
  <para>
   PHP 用是否有 <literal>AuthType</literal> 指令来判断外部认证机制是否有效。
  </para>
 </note>

 <simpara>
  注意，这仍然不能防止有人通过未认证的 URL 来从同一服务器上认证的 URL 上偷取密码。
 </simpara>
 <simpara>
  Netscape Navigator 和 Internet Explorer 浏览器都会在收到 401
  的服务端返回信息时清空所有的本地浏览器整个域的 Windows
  认证缓存。这能够有效的注销一个用户，并迫使他们重新输入他们的用户名和密码。有些人用这种方法来使登录状态“过期”，或者作为“注销”按钮的响应行为。
 </simpara>
 <para>
  <example>
    <title>强迫重新输入用户名和密码的 HTTP 认证的范例</title>
    <programlisting role="php">
<![CDATA[
<?php
  function authenticate() {
    header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');
    echo "You must enter a valid login ID and password to access this resource\n";
    exit;
  }

  if (!isset($_SERVER['PHP_AUTH_USER']) ||
      ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
   authenticate();
  }
  else {
   echo "<p>Welcome: {$_SERVER['PHP_AUTH_USER']}<br />";
   echo "Old: {$_REQUEST['OldAuth']}";
   echo "<form action='{$_SERVER['PHP_SELF']}' METHOD='post'>\n";
   echo "<input type='hidden' name='SeenBefore' value='1' />\n";
   echo "<input type='hidden' name='OldAuth' value='{$_SERVER['PHP_AUTH_USER']}' />\n";
   echo "<input type='submit' value='Re Authenticate' />\n";
   echo "</form></p>\n";
  }

该行为对于 HTTP 的 Basic 认证标准来说并不是必须的，因此不能依靠这种方法。对 Lynx 浏览器的测试表明 Lynx 在收到 401 的服务端返回信息时不会清空认证文件，因此只要对认证文件的检查要求没有变化，只要用户点击“后退”按钮，再点击“前进”按钮，其原有资源仍然能够被访问。不过，用户可以通过按“_”键来清空他们的认证信息。

同时请注意，在 PHP 4.3.3 之前，由于微软 IIS 的限制，HTTP 认证无法工作在 IIS 服务器的 CGI 模式下。为了能够使其在 PHP 4.3.3 以上版本能够工作，需要编辑 IIS 的设置“目录安全”。点击“编辑”并且只选择“匿名访问”，其它所有的复选框都应该留空。

另一个限制是在 IIS 的 ISAPI 模式下使用 PHP 4 的时候，无法使用 PHP_AUTH_* 变量，而只能使用 HTTP_AUTHORIZATION。例如，考虑如下代码：list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));。

IIS 注意事项: 要 HTTP 认证能够在 IIS 下工作，PHP 配置选项 cgi.rfc2616_headers 必须设置成 0（默认值）。

注意: 如果安全模式被激活，脚本的 UID 会被加到 WWW-Authenticate 标头的 realm 部分。

add a note User Contributed Notes

fordiman at gmail dot com
02-Aug-2007 12:07


@Whatabrain:

"[E=REMOTE_USER:%{HTTP:Authorization},L] ... didn't work. I couldn't see the variable."



Check $_SERVER['REMOTE_USER'] and $_SERVER['REDIRECT_REMOTE_USER'].  It'll be there.

gbelyh at gmail dot com
27-Jul-2007 06:48


Back to the autherisation in CGI mode. this is the full working example:



#  Create the .htaccess file with following contents:

# also you can use the condition (search at this page)

RewriteEngine on

RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]



# In the beginning the script checking the authorization place the code:



$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ;



$userpass = explode(":", $userpass);



if (  count($userpass) == 2  ){

     #this part work not for all.

     #print_r($userpass);die; #<- this can help find out right username and password

     list($name, $password) = explode(':', $userpass);

     $_SERVER['PHP_AUTH_USER'] = $name;

     $_SERVER['PHP_AUTH_PW'] = $password;



}

tonwyatt at yahoo dot com
24-Jul-2007 08:27


Here is my attempt to create a digest authentication class that will log the user in and out without using a cookie,session,db,or file. At the core is this simple code to parse the digest string into variables works for several browsers.

<?php

// explode the digest with multibrowser support by Tony Wyatt 21jun07

public function explodethedigest($instring) {

$quote = '"';

$equal = '=';

$comma = ',';

$space = ' ';

$a = explode( $comma, $instring);

$ax = explode($space, $a[0]);

$b = explode( $equal, $ax[1], 2);

$c = explode( $equal, $a[1], 2);

$d = explode( $equal, $a[2], 2);

$e = explode( $equal, $a[3], 2);

$f = explode( $equal, $a[4], 2);

$g = explode( $equal, $a[5], 2);

$h = explode( $equal, $a[6], 2);

$i = explode( $equal, $a[7], 2);

$j = explode( $equal, $a[8], 2);

$k = explode( $equal, $a[9], 2);

$l = explode( $equal, $a[10], 2);

$parts = array(trim($b[0])=>trim($b[1], '"'), trim($c[0])=>trim($c[1], '"'), trim($d[0])=>trim($d[1], '"'), trim($e[0])=>trim($e[1], '"'), trim($f[0])=>trim($f[1], '"'), trim($g[0])=>trim($g[1], '"'), trim($h[0])=>trim($h[1], '"'), trim($i[0])=>trim($i[1], '"'), trim($j[0])=>trim($j[1], '"'), trim($k[0])=>trim($k[1], '"'), trim($l[0])=>trim($l[1], '"'));



return $parts;

}

?>

Give it a try at http://tokko.kicks-ass.net/tests/ta1.php Log in with user test password pass or user guest password guest. Go to page two for links to the code. Comments, ideas, suggestions, or critique welcome.

Jack Bates
18-Jul-2007 08:01


In writing the HTTP auth module for the Gallery project, we discovered the following tricks for logging out with HTTP authentication:



Because most web browsers cache HTTP auth credentials, the Gallery logout link didn't work as expected after logging in with HTTP auth. Gallery correctly logged out the active user but the web browser simply logged in again with the next request.



To work around this, the HTTP auth module listens for the Gallery::Logout event and delegates to the httpauth.TryLogout page if necessary: http://gallery.svn.sourceforge.net/viewvc/gallery

/trunk/gallery2/modules/httpauth/TryLogout.inc?view=markup



The TryLogout page tries clearing the browser's authentication cache by as many tricks possible:



    * Ask browser to authenticate with bogus authtype: 



GalleryUtilities::setResponseHeader('HTTP/1.0 401 Unauthorized', false);

GalleryUtilities::setResponseHeader('WWW-Authenticate: Bogus', false);



    * Redirect with random username and password. This won't actually clear the browser's authentication cache but will replace it with an invalid username and password. Since Gallery ignores invalid HTTP auth credentials, this effectively logs the user out. 



    * Clear Internet Explorer's authentication cache with JavaScript:



 try {ldelim}

   {* http://msdn.microsoft.com/workshop/author

/dhtml/reference/constants/clearauthenticationcache.asp *}

   document.execCommand("ClearAuthenticationCache");

 {rdelim} catch (exception) {ldelim}

 {rdelim}



The TryLogout page redirects to the FinishLogout page for two resons:



   1. To replace the browser's authentication cache with an invalid username and password

   2. To check that the user was indeed logged out. If the user was logged out, the FinishLogout page redirects back to the Gallery application. Otherwise it displays a warning advising the user to manually clear their authentication cache (Clear Private Data in Firefox).



The TryLogout page redirects to the FinishLogout page using JavaScript and falls back on a manual link. It can't use a 302 Found status because the page needs to load for the Internet Explorer JavaScript to execute and because we can't put an invalid username and password in a Location: header.



http://codex.gallery2.org/Gallery2:Modules:httpauth

rovok at web dot de
03-Apr-2007 07:05


People are encouraged NOT to use register_globals, but Example 34.2. of german PHP documentation (http://de.php.net/manual/de/features.http-auth.php) uses register_globals in their example, assumed that the example is the whole script.



There is a <form> which has an <input> with type = "hidden", a name = "SeenBefore" and a value = "1". The Form is submitted by POST, so $SeenBefore should better be accessed by $_POST['SeenBefore'] instead of $SeenBefore.

Dutchdavey
16-Mar-2007 03:28


My sincere thanks to: webmaster at kratia dot com 21-Feb-2007 01:53



The principle is to not allow an invalid PHP_AUTH_USER to exist.



The following easy peasy example using Oracle is based on his simple genius:



///////////////////////////////////////////////////////////////

//

// do_html_header

//

// This function outputs the html header for the page.

//

//////////////////////////////////////////////////////////////////

function initialize_session()

{

   $err=error_reporting(0);

   $connection=oci_connect($_SERVER['PHP_AUTH_USER'],

                          $_SERVER['PHP_AUTH_PW'],$databasename) ;

   error_reporting($err);

   if (!$connection)

   {

      header('WWW-Authenticate: Basic Realm="ZEIP1"');

      header('HTTP/1.0 401 Unauthorized');

      echo "Login Cancelled';

      exit;

   }

   ..

   Normal Code..

   ..

}

Nicolas Merlet - admin(at)merletn.org
05-Mar-2007 05:37


Be careful using http digest authentication (see above, example 34.2) if you have to use the 'setlocale' function *before* validating response with the 'http_digest_parse' function, because there's a conflict with \w in the pattern of 'preg_match_all' function :



In fact, as \w is supposed to be any letter or digit or the underscore character, you must not forgot that this may vary depending on your locale configuration (eg. it accepts accented letters in french)...



Due to this different pattern interpretation by the 'preg_match_all' function, the 'http_digest_parse' function will always return a false result if you have modified your locale (I mean if your locale accepts some extended characters, see http://fr.php.net/manual/en/reference.pcre.pattern.syntax.php for further information).



IMHO, I suggest you not to use setlocale before having your authentication completed...



PS : Here's a non-compatible setlocale declaration...

setlocale ( LC_ALL, 'fr_FR', 'fr', 'FR', 'french', 'fra', 'france', 'French', 'fr_FR.ISO8859-1' ) ;

webmaster at kratia dot com
21-Feb-2007 12:53


This is the simplest form I found to do a Basic authorization with retries.



<?php



$valid_passwords = array ("mario" => "carbonell");

$valid_users = array_keys($valid_passwords);



$user = $_SERVER['PHP_AUTH_USER'];

$pass = $_SERVER['PHP_AUTH_PW'];



$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);



if (!$validated) {

  header('WWW-Authenticate: Basic realm="My Realm"');

  header('HTTP/1.0 401 Unauthorized');

  die ("Not authorized");

}



// If arrives here, is a valid user.

echo "<p>Welcome $user.</p>";

echo "<p>Congratulation, you are into the system.</p>";



?>

mg at evolution515 dot net
06-Feb-2007 12:20


Example for digest doesn't work (at least for me):



use this fix:

--------------

preg_match_all('@(\w+)=(?:(([\'"])(.+?)\3|([A-Za-z0-9/]+)))@', $txt, $matches, PREG_SET_ORDER);



foreach ($matches as $m) {

    $data[$m[1]] = $m[4] ? $m[4] : $m[5];

    unset($needed_parts[$m[1]]);

}



It's also better to but to put the Auth-Digest-Header in a function and call it on unsuccessful authentification again. Otherwise users only have the chance to submit their username/password just one time.

bleuciell at aol dot com
29-Dec-2006 08:51


For admin , i repair a fault , all is good now

Sorry for my english 



It's a piece of code , to give a piece of reflexion about simple auth , we can also cryp login and pass in db , time is here for non-replay , the code isn't finish , but it work , only for reflexion about auth mechanism



<?php

function ky( $txt,$crypt) { $key = md5($crypt); $cpt = 0; $var = "";

for ( $Ctr = 0; $Ctr < strlen($txt); $Ctr++) { if ($cpt == strlen($crypt)) $cpt = 0;

$var.= substr($txt,$Ctr,1) ^ substr($crypt,$cpt,1); $cpt++; } return $var; }



$key = "";$list = 'abcdefghijklmnopqrstuvwxyz0123456789';

for($i = 0; $i< 200; $i++) {  $key .= $list{mt_rand() % strlen($list)}; }



function cryp($txt,$key){ srand((double)microtime()*735412);  $crypt = crypt(rand(0,3895234));$cpt = 0;$var= "";

for ( $Ctr=0; $Ctr < strlen($txt); $Ctr++ ) { if ($cpt == strlen($crypt))$cpt = 0;

$var.= substr($crypt,$cpt,1).( substr($txt,$Ctr,1) ^ substr($crypt,$cpt,1) ); $cpt++; } return base64_encode(ky($var,$key) ); }



function dcryp($txt,$key){ $txt=ky(base64_decode($txt),$key);$var= "";

for ( $Ctr = 0; $Ctr < strlen($txt); $Ctr++ ) { $md5 = substr($txt,$Ctr,1);$Ctr++; $var.= (substr($txt,$Ctr,1) ^ $md5); }return $var;}



$time= time(); $user = cryp('bubu',$key); $pwd = cryp('bubu-'.$time.'',$key);



function pwd($j,$key){ $x = dcryp($j,$key); $x = explode('-',$x); return $x[0];}

function pwd2($j,$key){ $x = dcryp($j,$key); $x = explode('-',$x); return $x[1];}



function auth(){$realm="Authentification PHPindex";

Header("WWW-Authenticate: Basic realm='".$realm."'");Header("HTTP/1.0  401  Unauthorized");

echo "Vous ne pouvez accder  cette page"; }



if( !isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['PHP_AUTH_PW']) ) {auth();

} else {

if( $_SERVER['PHP_AUTH_USER'] == dcryp($user,$key) && $_SERVER['PHP_AUTH_PW'] == pwd($pwd,$key) && $time == pwd2($pwd,$key)) {



          echo '';



} else{ auth();}}



?>

Whatabrain
10-Nov-2006 03:05


Back to the problem of authenticating in CGI mode... mcbethh suggested using this to set a local variable in php:

RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]



It didn't work. I couldn't see the variable. My solution is pretty round-about, but it works:



RewriteEngine on 

RewriteCond %{HTTP:Authorization} !^$ 

RewriteCond %{REQUEST_METHOD} =GET 

RewriteCond %{QUERY_STRING} ="" 

RewriteRule ^page.php$ page.php?login=%{HTTP:Authorization}$1 



This causes the Auth string to be added to the URL if there are no parameters and it's a GET request. This prevents POSTs and parameter lists from being corrupted. 



Then, in the PHP script, I store the Auth string as a session cookie.



So the only way to log in to my script is to go to the url with no parameters.

admin at isprohosting dot com
01-Nov-2006 02:21


There are .htaccess which actually works for us (cPanel + phpsuexec) unless others failed. Perhaps it may help someone.



# PHP (CGI mode) HTTP Authorization with ModRewrite:

RewriteEngine on

RewriteCond %{HTTP:Authorization} ^(.*)

RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]



Then you need small piece of php code to parse this line and then everything will work like with mod_php:



if (isset($_SERVER['HTTP_AUTHORIZATION']))

{

$ha = base64_decode( substr($_SERVER['HTTP_AUTHORIZATION'],6) );

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', $ha);

unset $ha;

}



Enjoy!

SlamJam
24-Oct-2006 06:28


(Admins, please remove my last note, I missed changing a German variablename into an English expression).



I used Louis example (03-Jun-2006) and it works well for me (thanks).



However, I added some lines, to make sure, the user does only get the Authentification-Window a few times:



<?php

$realm = mt_rand( 1, 1000000000)."@YourCompany";

$_SESSION['realm'] = $realm;



// In the beginning, when the realm ist defined:

$_SESSION['CountTrials'] = 1;

?>



And then when it comes to check the authentification (ZEND-Tutorial):



<?php



// Not more than 3 Trials

if (!$auth) {

   $_SESSION['CountTrials']++;

   if ($_SESSION['CountTrials'] == 4) {   

       session_destroy() ;

       header('Location: noentry.php');

       exit ;   

   } else {

       header("WWW-Authenticate: Basic realm=".$_SESSION['realm']);

       header("HTTP/1.0 401 Unauthorized");

       echo 'Authorization Required.';

       exit;

   }

} else {

         echo '<P>You are authorized!</P>';

}

?>



noentry.php is slightely different from comeagain.php.

roychri at php dot net
11-Oct-2006 03:12


For PHP with CGI, make sure you put the rewrite rule above any other rewrite rule you might have.



In my case, I put this at the top of the .htaccess (below RewriteEngine On):

RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]



My symptom was that the REMOTE_USER (or REDIRECT_REMOTE_USER in my case) was not being set at all.

The cause: I had some other RewriteRule that was kickin in and was set as LAST rule.

I hope this helps.

blah at blah dot com
27-Jul-2006 07:46


Getting PHP Authentication to work with CGI-bin.



You must have mod_rewrite installed for this to work. In the directory (of the file) you want to protect, for the .htaccess file:



# PHP (CGI mode) HTTP Authorization with ModRewrite:

# most right example with header check for non empty:

RewriteEngine on 

RewriteCond %{HTTP:Authorization}  !^$

RewriteRule ^test.php$ test.php?login=%{HTTP:Authorization} 



Change the Rewrite rule to whatever you want it to be. For simplicity, this example only applies to one file, test.php and only if the HTTP Authorization needs to take place.



In the php file:

<?

if (isset($_GET['login'])) {

    $d = base64_decode( substr($_GET['login'],6) );

    list($name, $password) = explode(':', $d);

    echo 'Name:' . $name . "<br>\n";

    echo 'Password:' . $password . "<br>\n";

} else {

   header('WWW-Authenticate: Basic realm="My Realm"');

   header('HTTP/1.0 401 Unauthorized');

   echo 'You are not authorized. Bad user, bad!';

   exit;

}

?>



You need to get rid of the first 6 characters for some reason, then decode the Auth data from its base64 format. Then it's a simple matter of extracting the data. You can even pass the data to the $_SERVER variables $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. These are the variables that get the login data if you have PHP running as an Apache module. This is useful for mods or plugins.

web at kwi dot dk
12-Jul-2006 05:23


While Digest authentication is still far superior to Basic authentication, there are a number of security issues that one must keep in mind.



In this respect, the Digest example given above is somewhat flawed, because the nonce never times out or otherwise become invalid. It thus becomes a password-equivalent (although to that specific URL only) and can be used by an eavesdropper to fetch the page at any time in the future, thus allowing the attacker to always access the latest version of the page, or (much worse) repeatedly invoke a CGI script -- for instance, if the user requests the URL "/filemanager?delete=somefile", the attacker can repeat this deletion at any point in the future, possibly after the file has been recreated.



And while it might not be possible to change GET data without reauthentication, cookies and POST data *can* be changed.



To protect against the first problem, the nonce can be made to include a timestamp, and a check added to ensure that nonces older than e.g. 30 minutes result in a new authentication request. 



To solve the second problem, a one-time only nonce needs to be generated -- that is, all further requests using a particular nonce must be refused.



One way to do this: When the user requests an action such as "deletefile", store a randomly generated nonce in a session variable, issue a 401 authentication challenge with that nonce, and then check against the stored value when receiving the authentication (and clear the session variable).



This way, although a possible eavesdropper receives the nonce and thus gains the ability to perform the action, he can only perform it once -- and the user was going to perform it anyway. (Only the user or the attacker, but not both, gets to perform the action, so it's safe.)



Of course, at some point, the security can only be improved by switching to HTTPS / SSL / TLS (this is for instance the only way to defend against man-in-the-middle attacks). You decide the level of security.

Louis
03-Jun-2006 10:51


I couldn't get authentication to work properly with any of the examples. Finally, I started from ZEND's tutorial example at:

http://www.zend.com/zend/tut/authentication.php?article=authentication (validate using .htpasswd) and tried to deal with the additional cases. My general conclusion is that changing the realm is the only reliable way to cause the browser to ask again, and I like to thank the person who put that example in the manual, as it got me on the right path. No matter what, the browser refuses to discard the values that it already has in mind otherwise. The problem with changing the realm, of course, is that you don't want to do it within a given session, else it causes a new request for a password. So, here goes, hopefully the spacing isn't too messed up by the cut'n'paste.



I spent the better part of a day getting this to work right. I had a very hard time thinking through what the browser does when it encounters an authentication request: seems to me that it tries to get the password, then reloads the page... so the HTML doesn't get run. At least, this was the case with IE, I haven't tested it with anything else.



<?php

session_start() ;

if (!isset($_SESSION['realm'])) {

        $_SESSION['realm'] = mt_rand( 1, 1000000000 ).

                " SECOND level: Enter your !!!COMPANY!!! password.";



        header( "WWW-Authenticate: Basic realm=".$_SESSION['realm'] );



        //  Below here runs HTML-wise only if there isn't a $_SESSION,

        // and the browser *can't* set $PHP_AUTH_USER... normally

        // the browser, having gotten the auth info, runs the page

        // again without getting here.

        //  What I'm basically getting to is that the way to get

        // here is to escape past the login screen. I tried

        // putting a session_destroy() here originally, but the

        // problem is that the PHP runs regardless, so the

        // REFRESH seems like the best way to deal with it.

        echo "<meta http-equiv=\"REFRESH\"

                content=\"0;url=index.php\">" ;

        exit;

        }



if ($_POST['logout'] == "logout") {

        session_destroy() ;

        header('Location: comeagain.php');

        exit ;

        }



// "standard" authentication code here, from the ZEND tutorial above.



comeagain.php is as follows:



<?

session_start();

unset($_SESSION['realm']);

session_destroy();

echo "<html><head><title>Logged Out</title><h1>Logout Page</h1><body>" ;

echo "You have successfully logged out of TOGEN";

echo " at ".date("h:m:s")." on ".date("d F Y") ;

echo "<p><a href=\"index.php\">Login Again</a>" ;

echo "</body></html>" ;

?>



The idea is to be able to trash the session (and thus reset the realm) without prompting the browser to ask again... because it has been redirected to logout.php.



With this combination, I get things to work. Just make sure not to have apache run htpasswd authentication at the same time, then things get really weird :-).

henrik at laurells dot net
01-Jun-2006 06:36


Above top example for digest mode dosn't work if you have safemode on. You need to add a dash and UID to the compare string to make it work. Something like this;;



$A1 = md5($data['username'].':'. 

                $realm.'-'.getmyuid().':'. 

                $users[$data['username']]);

kembl at example dot com
23-May-2006 03:06


# PHP (CGI mode) HTTP Authorization with ModRewrite: 

# most right example with header check for non empty:

 RewriteEngine on

 RewriteCond %{HTTP:Authorization}  !^$

 RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}, \

E=PHP_AUTH_USER:%{HTTP:Authorization},L]

cyberscribe at php dot net
08-May-2006 06:47


To implement the Digest authentication mentioned above in PHP < 5.1, try prepending the following:



<?php

$headers = apache_request_headers();

$_SERVER['PHP_AUTH_DIGEST'] = $headers['Authorization'];

?>



or, if you don't like the idea of modifying the global $_SERVER variable directly, just use the first line and then substitute $_SERVER['PHP_AUTH_DIGEST'] in the sample code with $headers['Authorization']. Works great.

ZyX
04-Mar-2006 12:04


Simple PHP Script to login on a Basic Authentication page.



<?php



/* Access Configuration */

define ('x401_host', 'www.example.com');

define ('x401_port', 80);

define ('x401_user', 'your_username');

define ('x401_pass', 'your_password');



/* Function */

function get401Page($file) {

   $out  = "GET $file HTTP/1.1\r\n";

   $out .= "Host: ".x401_host."t\r\n";

   $out .= "Connection: Close\r\n";

   $out .= "Authorization: Basic ".base64_encode(x401_user.":".x401_pass)."\r\n";

   $out .= "\r\n";



   if (!$conex = @fsockopen(x401_host, x401_port, $errno, $errstr, 10))

       return 0;

   fwrite($conex, $out);

   $data = '';

   while (!feof($conex)) {

       $data .= fgets($conex, 512);

   }

   fclose($conex);

   return $data;

}



/* Code */

if ($source = get401Page('/absolute/path/file.php?get=value')) {

  echo $source;

} else {

  echo "I can't connect!";

}



?>

djreficul at yahoo dot com
15-Feb-2006 10:14


Well, I think it's easy to make authentification works correctly. I use a session var to force authentication everytime a user visit the logging area.



<?php

if (!isset ($_SESSION['firstauthenticate'])) {

    session_start();

}

  function authenticate() {

    header('WWW-Authenticate: Basic realm="Sistema autentificacin UnoAutoSur"');

    header('HTTP/1_0 401 Unauthorized');

//    header("Status: 401 Access Denied"); 

    echo "Unauthorized\n";

    exit;

  }

 if (!isset($_SERVER['PHP_AUTH_USER']) || strcmp ($_SERVER['PHP_AUTH_USER'],$user)!=0 || 

      !isset ($_SERVER['PHP_AUTH_PW']) || strcmp($_SERVER['PHP_AUTH_PW'],$pass)!=0 || !isset ($_SESSION['firstauthenticate']) || !$_SESSION['firstauthenticate']) {

     $_SESSION['firstauthenticate']=true;

   authenticate();

 } else {

            //I destroy the session var now

    session_unset();

            //Your code below

 }

?>

notter at thisaddress dot com
12-Jan-2006 03:19


A better example of the solution Brian was suggesting [admins: please delete my previous post]



logout.php:



<?php

if (!isset($_GET['quit'])) { ?>

        <h4>To complete your log out, please click "OK" then "Cancel" in

        this <a href="logout.php?quit=y">log in box</a>. Do not fill in a

        password. This should clear your ID and password from the cache of your

        browser.

        <blockquote>Note: Logging in from this particular box is   

        disabled!</blockquote>

        <p>Go <a href="/">back to the site</a>.</h4>

        <?php

} else {

        header('WWW-Authenticate: Basic realm="This Realm"');

        header('HTTP/1.0 401 Unauthorized');

        // if a session was running, clear and destroy it

        session_start();

        session_unset();

        session_destroy();

        echo "<h3>Logged out!</h3><h4>Go <a href=\"/\">back to the site</a>.</h4>";

}

?>



Note: "This Realm" should be changed to precisely match the name of your realm in your main login.

marco dot moser at oltrefersina dot it
09-Jan-2006 02:29


I suggest to demand user's authentication and management to the web server (by .htaccess, ...):



1. configure a global /logon/ directory with a .htaccess file restricted access



2. use fopen wrapper:



  $hh = @fopen("http://{$_SERVER['PHP_AUTH_USER']}:{$_SERVER['PHP_AUTH_PW']}".

    @{$_SERVER['SERVER_NAME']}/logon/", "r");

  if (!$hh) authenticate(); // usual header WWW-Authenticate ...

  fclose($hh);

sezer yalcin
17-Dec-2005 09:16


none of those 'logout' methods would work well.



Even tricky ones like using cookie to reset cache.



Do not waste your time on this. 



Browsers want to keep username and password to help user anyway. Try closing the window, or telling user to restart browser.

oaev at mail dot ru
19-Oct-2005 08:26


Once more time about PHP through CGI.



Sometimes by some reasons (settings) web-server does not allow to set any environment variables through .htaccess file, so method offered by bernard dot paques at bigfoot dot com will not work.



Another way to solve this is to set some GET variable:



file .htaccess (it's just my example, maybe you can find better way):



<IfModule mod_rewrite.c>

   RewriteEngine on

   

   RewriteCond %{QUERY_STRING} ^$

   RewriteRule ([^\s]+).php$ $1.php?BAD_HOSTING=%{HTTP:Authorization}

   

   RewriteCond %{QUERY_STRING} ^(.+)$

   RewriteRule ([^\s]+).php $1.php?%1&BAD_HOSTING=%{HTTP:Authorization}

</IfModule>



a part of php file:



<?php

    if((empty($_SERVER['PHP_AUTH_USER']) or empty($_SERVER['PHP_AUTH_PW'])) and isset($_REQUEST['BAD_HOSTING']) and preg_match('/Basic\s+(.*)$/i', $_REQUEST['BAD_HOSTING'], $matc))

        list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode($matc[1]));



?>

somebody
18-Oct-2005 02:20


In the previous example it will not work in IE. In order to have a single script work on both IE and FireFox (and handle the cache problem), you need to use the $_SERVER['HTTP_USER_AGENT'] variable to know which logout version to present to the user.



An full example can be seen in the url (could not post it here due to size restrictions):



http://www.free-php.org/index.php?

cat_select=HTTP&show=HTTP_Authentication



(URL split also due to size restrictions)

niklas[dot]westerberg[at]sizeit[dot]se
07-Oct-2005 10:23


To reset the credentials stored by the browser and effectivly force reauthentication of the user, make a logout link on your page pointing to http://logout:logout@{$_SERVER['SERVER_NAME']}/nice_logout_page.php , presuming that there is no user logout with password logout.



Very simple!



Got it from http://www.webmasterworld.com/forum13/3147.htm

siberion at hotmail dot com
24-Aug-2005 04:11


I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user's sanity.



Even with Lalit's method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn't work. Here's my solution:



Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as:



http://www.example.com/some_dir/login.php/auth/8f631b92/



By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again.



Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website.



Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory.



Hope this helps somebody.

me at lalit dot org
30-Jun-2005 03:27


A very simple HTTP Authentication script that solves the logout problem. I wasted a lot of time figuring out a way to logout. This one works perfectly fine.



<?php



function auth_user() {

    $realm = mt_rand( 1, 1000000000 );

    header('WWW-Authenticate: Basic realm="Realm ID='.$realm.']"');

    header('HTTP/1.0 401 Unauthorized');

    die("Unauthorized access forbidden!");

}



if (!isset($_SERVER['PHP_AUTH_USER'])) {

    auth_user();

} else if (!isset($_SERVER['PHP_AUTH_USER'])) {

    auth_user();

} else if ($_SERVER['PHP_AUTH_USER'] != $auser || $_SERVER['PHP_AUTH_PW'] != $apass) {

    auth_user();

} else if (isset($_GET['action']) && $_GET['action'] == "logout") {

    auth_user();

}



// Normal Page Code Here

?>



Hope this helps,

Lalit

snagnever at gmail dot com
18-Jun-2005 10:39


It forces a auth each time the page is accessed:

(maybe can save someone)



<?

header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");

header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

header("Cache-Control: post-check=0, pre-check=0",false);

header("Pragma: no-cache");

session_cache_limiter("public, no-store");

session_start();



function http_auth()

{

    $_SESSION['AUTH'] = 1;

    header('HTTP/1.0 401 Unauthorized');

    header('WWW-Authenticate: Basic realm="sn4g auth system"');

    // The actions to be done when the user clicks on 'cancel'

    exit();

}



if( !isset($_SERVER['PHP_AUTH_USER']) or @$_SESSION['AUTH'] != 1 )

{

    http_auth();

    exit();

}



// Actions do be done when the user has logged



// rest, must clean the session array

$_SESSION = array();

session_destroy();

?>

aplanefan at mail dot com
26-May-2005 01:36


I found a way to log out easily

<?php

ob_start();

if (!isset($_SERVER['PHP_AUTH_USER']) || $_COOKIE['isin'] != "1") {

header('WWW-Authenticate: Basic realm="My Realm"');

header('HTTP/1.0 401 Unauthorized');

setcookie ("isin", "1");

die('<a href="orderhan.php">Login</a>');

} 

else {

if($_SERVER['PHP_AUTH_USER'] == "USER" &&  $_SERVER['PHP_AUTH_PW']== "PASSWORD") {

echo "you got in";

echo "<a href='".$_SEVER['PHP_SELF']."?action=logout'>logout</a>";

}

else {

setcookie ("isin", "", time() - 3600);

$url=$_SERVER['PHP_SELF'];

header("location: $url");

}

if($_GET['action'] == "logout") {

setcookie ("isin", "", time() - 3600);

$url=$_SERVER['PHP_SELF'];

header("location: $url");

}

}

ob_end_flush();

?>

charly at towebs dot com
29-Apr-2005 05:13


A simpler approach on the post of:

bernard dot paques at bigfoot dot com

24-Sep-2004 01:42



This is another "patch" to the PHP_AUTH_USER and PHP_AUTH_PW server variables problem running PHP as a CGI.



First of all don't forget this fragment of code in your .htaccess (it's the only thing you need to make it work with mod_rewrite):



<IfModule mod_rewrite.c>

   RewriteEngine on

   RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

</IfModule>



Then login.php



<?php

$a = base64_decode( substr($_SERVER["REMOTE_USER"],6)) ;

if ( (strlen($a) == 0) || ( strcasecmp($a, ":" )  == 0 ))

{

   header( 'WWW-Authenticate: Basic realm="Private"' );

   header( 'HTTP/1.0 401 Unauthorized' );

}

else

{

   list($name, $password) = explode(':', $a);

   $_SERVER['PHP_AUTH_USER'] = $name;

   $_SERVER['PHP_AUTH_PW']    = $password;



}



echo 'PHP_AUTH_USER =' . $_SERVER['PHP_AUTH_USER'] . '<br>';

echo 'PHP_AUTH_PW =' . $_SERVER['PHP_AUTH_PW'] . '<br>';

echo 'REMOTE_USER =' . $_SERVER['REMOTE_USER'] . '<br>';

?>



First, we decode the base64 encoded string discarding the first 6 characters of "Basic " and then we do a regular validation.

At the end of the script we print the variables to verify it's working. This should be ommited in the production version.



It's a variation of the script by Bernard Paques.

Thanks to him for that snippet.

lexa at toxa dot de
29-Mar-2005 08:17


/**

After many tries, I created a login/logout-mechanism, which works

with Internet Explorer (tested on IE6) and Firefox (tested on V1.0).



I've combined some of the hints given below and used a session as

a second independent memory.



check4login() has to be called on every loading of the page.

 **/



function check4login() {



    $baselink = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];



    // start a session and don't let it stop automatically:

    session_set_cookie_params(0);

    session_start();

    setcookie("PHPSESSID", session_id());



    // check if the current loading of the page is the first loading

    // after a logout:

    if ($_SESSION['logout'] != '') {

        unset($_SESSION['logout']);

        //

        // initialize a relogin on Firefox

        // (request login with username "relogin"):

        //

        // CAUTION: After that, relative hyperlinks like

        //   <a href="{$_SERVER['PHP_SELF']}">Link</a>

        // will maybe translated into an absolute hyperlink like

        //   http://relogin:relogin@...

        // which will lead to an error-message in Firefox.

        //

        // So you always have to use absolute hyperlinks like $baselink.

        //

        if (! preg_match("/MSIE/", $_SERVER['HTTP_USER_AGENT'])) {

            $link = preg_replace("/^http:\/\/(.*)$/",

                        "http://relogin:relogin@$1", $baselink);

            header("Location: $link");

            exit;

    }    }



    // check if a new realm needs to be generated because

    // it's the first loading of the page (or the first loading

    // after a logout):

    //

    // Remark: The realm is generated with some random signs,

    // because Internet Explorer will forget the username if the

    // realm changes. Unfortunately Firefox doesn't do so.

    if (! isset($_SESSION['realm'])) {

        srand();

        $_SESSION['realm'] = "My Realm      ";

        for ($i = 0; $i < 6; $i++) {

            $_SESSION['realm'] .= substr(".,:;-_'+~=", rand(0, 9), 1);

    }    }



    // check if a user has already logged in before:

    if (isset($_SESSION['user'])) {

        unset($_SESSION['login']);

        return true;

    }



    // check if a user just entered a username and password:

    //

    // is_authorized() has to return 'true' if and only if

    // the username and the passwort given are correct.

    if (isset($_SESSION['login'])) {

        if (is_authorized($_SERVER['PHP_AUTH_USER'],

                    $_SERVER['PHP_AUTH_PW'])) {

            $_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];

            unset($_SESSION['login']);

            return true;

    }    }



    // let the browser ask for a username and a password:

    $_SESSION['login'] = true;

    header("WWW-Authenticate: Basic realm=\"{$_SESSION['realm']}\"");

    header("HTTP/1.0 401 Unauthorized");

    echo "You need to log in before you can access this page.";

    phpinfo();        // - for testing only

    exit;

}



function logout() {



    // to do a logout, all session-variables will be deleted,

    // a variable 'logout' is added:

    $_SESSION = array('logout' => true);

    echo "You were successfully logged out.";

    phpinfo();        // - for testing only

    exit;

}

sl at netcentrex dot net
24-Mar-2005 10:16


This forces an instant re-authentication:



// Force a logout.

function imt_logout()

{

    global $_SESSION;

    global $HTTP_SERVER_VARS;

    global $PHP_SELF;

    

    // We mark the session as requiring a re-auth

    $_SESSION['reauth-in-progress'] = 1;



    // This forces the authentication cache clearing

    header("WWW-Authenticate: Basic realm=\"My Realm\"");

    header("HTTP/1.0 401 Unauthorized");

    

    // In case of the user clicks "cancel" in the dialog box

    print '<a href="http://'.$HTTP_SERVER_VARS['HTTP_HOST'].$PHP_SELF.'">click me</a>';

    exit();

}



// Check login

function imt_login()

{

    global $_SERVER;

    global $_SESSION;

    global $REGISTERED_USERS;



    // the valid_user checks the user/password (very primitive test in this example)

    if (!valid_user($_SERVER['PHP_AUTH_USER'], $REGISTERED_USERS))

    {

        session_destroy();

        header("WWW-Authenticate: Basic realm=\"My Realm\"");

        header("HTTP/1.0 401 Unauthorized");

        exit();

    }



    // OK, the user is authenticated

    $_SESSION['user'] = $_SERVER['PHP_AUTH_USER'];

}



Assuming that your page.php?action=logout forces a reauth on the same page, start your page with:



session_start()

if ($_REQUEST["action"] == "logout")

{

    if (isset($_SESSION['reauth-in-progress']))

    {

        session_destroy();

        header("Location: http://".$HTTP_SERVER_VARS['HTTP_HOST'].$PHP_SELF);

    }

    else

        imt_logout();

}

    

imt_login();

brian at nerdlife dot net
20-Mar-2005 03:30


My solution to the logout conondrum:

<?php

if($_GET[op] == 'logout')

{

 header('WWW-Authenticate: Basic realm="Click \'Ok\' then \'Cancel\' to Log Out"');

 header('HTTP/1.0 401 Unauthorized');

  echo 'You have been successfully logged out. Click <a href="index.php">here</a> to log back in.');

  die();

}

if(!isset($_SERVER[PHP_AUTH_USER]))

{

 header('WWW-Authenticate: Basic realm="Site Login"');

 header('HTTP/1.0 401 Unauthorized');

  echo 'You must enter a valid username and password to access this resource.';

  die();

}

else

{

 //Validate User

 //If Validated:

 echo "Welcome. <a href='index.php?op=logout'>Logout?</a>"

}

?>

I assume that if the user is reliable enough to even bother logging out, they are reliable enough to click "ok" then "cancel", thereby logging out and displaying the "logged out" message.

ernstp at winzerware dot de
09-Nov-2004 07:05


Don't like passwords at home or simply don't want access with passwords maybe told form one to another...



You make a configuration file like that:



# Passwort for special IP-Range

IP 192.168.0.

axel:PGWAiIeUxcHOg

sven:ADD1IDbsVHSEo



# Following IP works without password (Keyword 'ALL')

IP 192.168.0.4

ALL



# Passwords for the rest of the world

IP

ernst:INo9dSzfU5sRU

sven:ADD1IDbsVHSEo



<?

$path_log = "/home/ernst/.htmyway";



// Konfigurationsfile einlesen:

$file = file($path_log);



$login = FALSE;                    // Gets TRUE, when login is valid

$ip = 'world';                    // This is the currend IP while reading the configuration

$access = 'world';                // IP from configuration