1 <?php  2 /**  3  * DooDigestAuth class file.  4  *  5  * @author Leng Sheng Hong <darkredz@gmail.com>  6  * @link http://www.doophp.com/  7  * @copyright Copyright &copy; 2009 Leng Sheng Hong  8  * @license http://www.doophp.com/license  9  */ 10  11 /** 12  * Handles HTTP digest authentication 13  * 14  * <p>HTTP digest authentication can be used with the URI router. 15  * HTTP digest is much more recommended over the use of HTTP Basic auth which doesn't provide any encryption. 16  * If you are running PHP on Apache in CGI/FastCGI mode, you would need to 17  * add the following line to your .htaccess for digest auth to work correctly.</p> 18  * <code>RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]</code> 19  * 20  * <p>This class is tested under Apache 2.2 and Cherokee web server. It should work in both mod_php and cgi mode.</p> 21  * 22  * @author Leng Sheng Hong <darkredz@gmail.com> 23  * @version $Id: DooDigestAuth.php 1000 2009-07-7 18:27:22 24  * @package doo.auth 25  * @since 1.0 26  */ 27 class DooDigestAuth{ 28  29     /** 30      * Authenticate against a list of username and passwords. 31      * 32      * <p>HTTP Digest Authentication doesn't work with PHP in CGI mode, 33      * you have to add this into your .htaccess <code>RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]</code></p> 34      * 35      * @param string $realm Name of the authentication session 36      * @param array $users An assoc array of username and password: array('uname1'=>'pwd1', 'uname2'=>'pwd2') 37      * @param string $fail_msg Message to be displayed if the User cancel the login 38      * @param string $fail_url URL to be redirect if the User cancel the login 39      * @return string The username if login success. 40      */ 41     public static function http_auth($realm, $users, $fail_msg=NULL, $fail_url=NULL){ 42         $realm = "Restricted area - $realm"; 43  44         //user => password 45         //$users = array('admin' => '1234', 'guest' => 'guest'); 46         if(!empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && strpos($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 'Digest')===0){ 47             $_SERVER['PHP_AUTH_DIGEST'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; 48         } 49  50         if (empty($_SERVER['PHP_AUTH_DIGEST'])) { 51             header('WWW-Authenticate: Digest realm="'.$realm. 52                    '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); 53             header('HTTP/1.1 401 Unauthorized'); 54             if($fail_msg!=NULL) 55                 die($fail_msg); 56             if($fail_url!=NULL) 57                 die("<script>window.location.href = '$fail_url'</script>"); 58             exit; 59         } 60  61         // analyze the PHP_AUTH_DIGEST variable 62         if (!($data = self::http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])){ 63             header('WWW-Authenticate: Digest realm="'.$realm. 64                    '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); 65             header('HTTP/1.1 401 Unauthorized'); 66             if($fail_msg!=NULL) 67                 die($fail_msg); 68             if($fail_url!=NULL) 69                 die("<script>window.location.href = '$fail_url'</script>"); 70             exit; 71         } 72  73         // generate the valid response 74         $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); 75         $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); 76         $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); 77  78         if ($data['response'] != $valid_response){ 79             header('HTTP/1.1 401 Unauthorized'); 80             header('WWW-Authenticate: Digest realm="'.$realm. 81                    '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); 82             if($fail_msg!=NULL) 83                 die($fail_msg); 84             if($fail_url!=NULL) 85                 die("<script>window.location.href = '$fail_url'</script>"); 86             exit; 87         } 88  89         // ok, valid username & password 90         return $data['username']; 91     } 92  93     /** 94      * Method to parse the http auth header, works with IE. 95      * 96      * Internet Explorer returns a qop="xxxxxxxxxxx" in the header instead of qop=xxxxxxxxxxx as most browsers do. 97      * 98      * @param string $txt header string to parse 99      * @return array An assoc array of the digest auth session100      */101     private static function http_digest_parse($txt)102     {103         $res = preg_match("/username="([^"]+)"/i", $txt, $match);104         $data['username'] = (isset($match[1]))?$match[1]:null;105         $res = preg_match('/nonce="([^"]+)"/i', $txt, $match);106         $data['nonce'] = $match[1];107         $res = preg_match('/nc=([0-9]+)/i', $txt, $match);108         $data['nc'] = $match[1];109         $res = preg_match('/cnonce="([^"]+)"/i', $txt, $match);110         $data['cnonce'] = $match[1];111         $res = preg_match('/qop=([^,]+)/i', $txt, $match);112         $data['qop'] = str_replace('"','',$match[1]);113         $res = preg_match('/uri="([^"]+)"/i', $txt, $match);114         $data['uri'] = $match[1];115         $res = preg_match('/response="([^"]+)"/i', $txt, $match);116         $data['response'] = $match[1];117         return $data;118     }119 120 121 }

1 require_once(dirname(__FILE__)."/DooDigestAuth.php");2 DooDigestAuth::http_auth('example.com', array('admin'=>"123456789"));