1
Php2/**3* Doodigestauth class file.4 *5* @author Leng Sheng Hong
6* @link http://www.doophp.com/7* @copyright copyright©2009 Leng Sheng Hong8* @license Http://www.doophp.com/license9*/Ten One/** A* Handles HTTP Digest Authentication - * - *HTTP Digest authentication can be used with the URI router. the * HTTP Digest is much more recommended over the use of HTTP Basic auth which doesn ' t provide any encryption. - * If You is running PHP on Apache in cgi/fastcgi mode, you would need to - * Add the following line to your. htaccess for digest auth to work correctly.
- * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
+ * - *This class is tested under Apache 2.2 and Cherokee Web server. It should work in both mod_php and CGI mode.
+ * A* @author Leng Sheng Hong
at* @version $Id: doodigestauth.php 2009-07-7 18:27:22 -* @package Doo.auth -* @since 1.0 -*/ -classdoodigestauth{ - in/** -* Authenticate against a list of username and passwords. to * +*HTTP Digest authentication doesn ' t work with PHP in CGI mode, the * you has to add the to your. Htacce SS RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
the * ** @param string $realm Name of the authentication session $* @param array $users An assoc array of username and Password:array (' uname1 ' = ' pwd1 ', ' uname2 ' = ' pwd2 ') Panax Notoginseng* @param string $fail _msg Message to be displayed if the User cancel the login -* @param string $fail _url URL to be redirect if the User cancel the login the* @return String The username if login success. +*/ A PublicStaticfunctionHttp_auth ($realm,$users,$fail _msg=NULL,$fail _url=NULL){ the$realm= "Restricted area-$realm"; + -//user = password $//$users = Array (' admin ' = = ' 1234 ', ' guest ' = ' guest '); $if(!Empty($_server[' Redirect_http_authorization ']) &&Strpos($_server[' Redirect_http_authorization '], ' Digest ') ===0){ -$_server[' php_auth_digest '] =$_server[' Redirect_http_authorization ']; - } the -if(Empty($_server[' Php_auth_digest '])) {WuyiHeader(' Www-authenticate:digest realm= '.$realm. the' ", qop=" auth ", n>uniqid(). ' ", opaque=" '.MD5($realm).'"'); -Header(' http/1.1 401 Unauthorized '); Wuif($fail _msg!=NULL) - die($fail _msg); Aboutif($fail _url!=NULL) $ die(""); -Exit; - } - A//analyze the php_auth_digest variable +if(! ($data= Self::http_digest_parse ($_server[' Php_auth_digest '])) || !isset($users[$data[' username ']])){ theHeader(' Www-authenticate:digest realm= '.$realm. -' ", qop=" auth ", n>uniqid(). ' ", opaque=" '.MD5($realm).'"'); $Header(' http/1.1 401 Unauthorized '); theif($fail _msg!=NULL) the die($fail _msg); theif($fail _url!=NULL) the die(""); -Exit; in } the the//generate the valid response About$A 1=MD5($data[' username ']. ':' .$realm. ':' .$users[$data[' username ']]); the$A 2=MD5($_server[' Request_method ']. ': '.$data[' URI ']); the$valid _response=MD5($A 1.':'.$data[' nonce ']. ': '.$data[' NC ']. ': '.$data[' Cnonce ']. ': '.$data[' Qop ']. ': '.$A 2); the +if($data[' response ']! =$valid _response){ -Header(' http/1.1 401 Unauthorized '); theHeader(' Www-authenticate:digest realm= '.$realm.Bayi' ", qop=" auth ", n>uniqid(). ' ", opaque=" '.MD5($realm).'"'); theif($fail _msg!=NULL) the die($fail _msg); -if($fail _url!=NULL) - die(""); theExit; the } the the//OK, valid username & password -return$data[' username ']; the } the the/**94* Method to parse the HTTP Auth header, works with IE. the * the* Internet Explorer returns a qop= "Xxxxxxxxxxx" in the header instead of qop=xxxxxxxxxxx as most browsers do. the *98* @param string $txt header string to parse About* @return Array An assoc array of the Digest auth session -*/101PrivateStaticfunctionHttp_digest_parse ($txt)102 {103$res=Preg_match("/username=\" ([^\ "]+) \"/I ",$txt,$match);104$data[' username '] = (isset($match[1])?$match[1]:NULL; the$res=Preg_match('/n/i ',$txt,$match);106$data[' nonce '] =$match[1];107$res=Preg_match('/nc= ([0-9]+)/I ',$txt,$match);108$data[' NC '] =$match[1];109$res=Preg_match('/cn/i ',$txt,$match); the$data[' cnonce '] =$match[1];111$res=Preg_match('/qop= ([^,]+)/I ',$txt,$match); the$data[' qop '] =Str_replace('"','',$match[1]);113$res=Preg_match('/uri=\ ' ([^\ "]+) \"/I ",$txt,$match); the$data[' uri '] =$match[1]; the$res=Preg_match('/resp/i ',$txt,$match); the$data[' response '] =$match[1];117return$data;118 }119 -121}
Call Method:
1 require_once (dirname(__file__). " /doodigestauth.php "); 2 Array (' admin ' = ' 123456789 '));
Phpweb authorized login to prevent background brute force
Download Address: Http://files.cnblogs.com/files/func/DooDigestAuth.zip
The above describes the Doodigestauth PHP (background) Authorization Management Web browser licensing, including aspects of the content, I hope to be interested in PHP tutorial friends helpful.