: This article mainly introduces DooDigestAuthphp (background) authorization management web browser Authorization. if you are interested in PHP tutorials, refer to it.
1
6 * @link http://www.doophp.com/ 7 * @copyright Copyright © 2009 Leng Sheng Hong 8 * @license http://www.doophp.com/license 9*/ 10 11/** 12 * Handles HTTP digest authentication 13 * 14 * HTTP digest authentication can be used with the URI router. 15 * HTTP digest is much more recommended over the use of HTTP Basic auth which doesn't provide any encryption. 16 * If you are running PHP on Apache in CGI/FastCGI mode, you would need to 17 * add the following line to your .htaccess for digest auth to work correctly.
18 * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
19 * 20 * This class is tested under Apache 2.2 and Cherokee web server. It should work in both mod_php and cgi mode.
21 * 22 * @author Leng Sheng Hong
23 * @version $Id: DooDigestAuth.php 1000 2009-07-7 18:27:22 24 * @package doo.auth 25 * @since 1.0 26*/ 27class DooDigestAuth{ 28 29/** 30 * Authenticate against a list of username and passwords. 31 * 32 *
HTTP Digest Authentication doesn't work with PHP in CGI mode, 33 * you have to add this into your .htaccess RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
34 * 35 * @param string $realm Name of the authentication session 36 * @param array $users An assoc array of username and password: array('uname1'=>'pwd1', 'uname2'=>'pwd2') 37 * @param string $fail_msg Message to be displayed if the User cancel the login 38 * @param string $fail_url URL to be redirect if the User cancel the login 39 * @return string The username if login success. 40*/ 41publicstaticfunction http_auth($realm, $users, $fail_msg=NULL, $fail_url=NULL){ 42$realm = "Restricted area - $realm"; 43 44//user => password 45 //$users = array('admin' => '1234', 'guest' => 'guest'); 46if(!empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && strpos($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 'Digest')===0){ 47$_SERVER['PHP_AUTH_DIGEST'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; 48 } 49 50if (empty($_SERVER['PHP_AUTH_DIGEST'])) { 51header('WWW-Authenticate: Digest realm="'.$realm. 52 '",qop="auth",n>uniqid().'",opaque="'.md5($realm).'"'); 53header('HTTP/1.1 401 Unauthorized'); 54if($fail_msg!=NULL) 55die($fail_msg); 56if($fail_url!=NULL) 57die("《script》window.location.href = '$fail_url'《script》"); 58exit; 59 } 60 61// analyze the PHP_AUTH_DIGEST variable 62if (!($data = self::http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])){ 63header('WWW-Authenticate: Digest realm="'.$realm. 64 '",qop="auth",n>uniqid().'",opaque="'.md5($realm).'"'); 65header('HTTP/1.1 401 Unauthorized'); 66if($fail_msg!=NULL) 67die($fail_msg); 68if($fail_url!=NULL) 69die("《script》window.location.href = '$fail_url'《script》"); 70exit; 71 } 72 73// generate the valid response 74$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); 75$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); 76$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); 77 78if ($data['response'] != $valid_response){ 79header('HTTP/1.1 401 Unauthorized'); 80header('WWW-Authenticate: Digest realm="'.$realm. 81 '",qop="auth",n>uniqid().'",opaque="'.md5($realm).'"'); 82if($fail_msg!=NULL) 83die($fail_msg); 84if($fail_url!=NULL) 85die("《script》window.location.href = '$fail_url'《script》"); 86exit; 87 } 88 89// ok, valid username & password 90return$data['username']; 91 } 92 93/** 94 * Method to parse the http auth header, works with IE. 95 * 96 * Internet Explorer returns a qop="xxxxxxxxxxx" in the header instead of qop=xxxxxxxxxxx as most browsers do. 97 * 98 * @param string $txt header string to parse 99 * @return array An assoc array of the digest auth session100*/101privatestaticfunction http_digest_parse($txt)102 {103$res = preg_match("/username=\"([^\"]+)\"/i", $txt, $match);104$data['username'] = (isset($match[1]))?$match[1]:null;105$res = preg_match('/n/i', $txt, $match);106$data['nonce'] = $match[1];107$res = preg_match('/nc=([0-9]+)/i', $txt, $match);108$data['nc'] = $match[1];109$res = preg_match('/cn/i', $txt, $match);110$data['cnonce'] = $match[1];111$res = preg_match('/qop=([^,]+)/i', $txt, $match);112$data['qop'] = str_replace('"','',$match[1]);113$res = preg_match('/uri=\"([^\"]+)\"/i', $txt, $match);114$data['uri'] = $match[1];115$res = preg_match('/resp/i', $txt, $match);116$data['response'] = $match[1];117return$data;118 }119120121 }
Call method:
1require_once(dirname(__FILE__)."/DooDigestAuth.php");2 DooDigestAuth::http_auth('example.com', array('admin'=>"123456789"));
PHP web authorized logon effectively prevents brute-force cracking in the background
: Http://files.cnblogs.com/files/func/DooDigestAuth.zip
The above introduces DooDigestAuth php (background) authorization management web browser authorization, including content, hope to be helpful to friends interested in PHP tutorials.