[PHP-DEV] Implementing support for HTTP Digest Authorization in PHP

LacaK Tue, 22 Mar 2005 23:44:40 -0800

Hi everybody, I am looking for somebody, who can implement HTTP Digest Authorization in PHP. A solution, that could be useful also for many PHP users. (is more secure and so more usable than Basic authorization)

"HTTP Basic Authorization" sends password only base64 encoded, and may be easily stolen. but "HTTP Digest Authorization" sends password 'md5 hashed', so for other script it is much more harder to steal or gain it.

Wouldn´t it be possible to add in PHP support the Digest Authorization for example in a form $_SERVER["PHP_AUTH_DIGEST"], where the header from HTTP Response would be added if 'Authorization: Digest ...' is used (similar as the 'Authorization: Basic ...' in $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] even when safe_mode=On)

1.PHP must parse HTTP header. 2. When it finds Authorization: Basic then fill up $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] 3. add next condition When it finds Authorization: Digest then fill $_SERVER["PHP_AUTH_DIGEST"] (I think, that it takes only few lines of source code . Modification in init_request_info() function in mod_php4.c + ?)

I appended short file, where this modification is marked.

Thank you very much for your time and effort.
Please reply. Or advice me who I should contact.
Laco

mod_php4.c


static void init_request_info(TSRMLS_D) 
{
...
        if (r->headers_in) {
                authorization = table_get(r->headers_in, "Authorization");
        }
        SG(request_info).auth_user = NULL;
        SG(request_info).auth_password = NULL;
        if (authorization && (!PG(safe_mode) || ( PG(safe_mode) && 
!auth_type(r)) ) )
                /* original Basic */
                if (!strcasecmp(getword(r->pool, &authorization, ' '), 
"Basic")) {
                        tmp = uudecode(r->pool, authorization);
                        tmp_user = getword_nulls_nc(r->pool, &tmp, ':');
                        if (tmp_user) {
                                r->connection->user = 
pstrdup(r->connection->pool, tmp_user);
                                r->connection->ap_auth_type = "Basic";
                                SG(request_info).auth_user = estrdup(tmp_user);
                        }
                        if (tmp) {
                                SG(request_info).auth_password = estrdup(tmp);
                        }
                /* new code for Digest */
                } elseif (!strcasecmp(getword(r->pool, &authorization, ' '), 
"Digest")) {
                        /* only put 'authorization' in some new created 
SG(request_info).auth_authorization 
                        or create $_SERVER["HTTP_AUTHORIZATION"] like CGI 
version PHP under IIS 
                        or create $_SERVER["PHP_AUTH_DIGEST"] array containing 
elements like ["nonce"],["qop"],["response"],["opaque"],... */
                } 
        }
}

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Implementing support for HTTP Digest Authorization in PHP

Reply via email to