HTTP Digest Authorization is supported by PEAR::Auth_HTTP.
But, as you said, it cannot be used when safe_mode = On.
To solve this problem,
I made a simple patch based on your suggestion based on php5 CVS HEAD.
Applying this patch, we can access $_SERVER['PHP_AUTH_DIGEST'] ,
which will be like,
'Digest username="taro", realm="php-users-digest",
nonce="MTExMTkwNjQ2OA==399347e5e0e2688ede69bfe5e707e3a3",
uri="/php/auth/test_digest_simple.php", algorithm=MD5,
response="6ba162b80d63f8960c73405519cea861",
opaque="b7d192a44e0da16cd180ebe85efb7c8f", qop=auth, nc=00000001,
cnonce="082c875dcb2ca740"'.
The Digest Authentication can be performed in Auth_HTTP using this
server variable.
Some utility function such as http_digest_params() to decode
parameters from $_SERVER['PHP_AUTH_DIGEST'] will be also useful
to make the authentication code.
I hope apply this patch into CVS HEAD if there is no objection.
Rui
On Wed, 23 Mar 2005 08:44:14 +0100
LacaK <[EMAIL PROTECTED]> wrote:
> Hi everybody,
> I am looking for somebody, who can implement HTTP Digest Authorization
> in PHP.
> A solution, that could be useful also for many PHP users. (is more
> secure and so more usable than Basic authorization)
>
> "HTTP Basic Authorization" sends password only base64 encoded, and may
> be easily stolen.
> but
> "HTTP Digest Authorization" sends password 'md5 hashed', so for other
> script it is much more harder to steal or gain it.
>
> Wouldnエt it be possible to add in PHP support the Digest Authorization
> for example in a form $_SERVER["PHP_AUTH_DIGEST"], where the header from
> HTTP
> Response would be added if 'Authorization: Digest ...' is used (similar
> as the 'Authorization:
> Basic ...' in $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] even
> when safe_mode=On)
>
> 1.PHP must parse HTTP header.
> 2. When it finds Authorization: Basic then fill up
> $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]
> 3. add next condition When it finds Authorization: Digest then fill
> $_SERVER["PHP_AUTH_DIGEST"]
> (I think, that it takes only few lines of source code . Modification in
> init_request_info() function in mod_php4.c + ?)
>
> I appended short file, where this modification is marked.
>
> Thank you very much for your time and effort.
> Please reply. Or advice me who I should contact.
> Laco
--
Rui Hirokawa <[EMAIL PROTECTED]>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
