|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31747 SOAP Digest Authentication
Submitted: 2005-01-28 19:46 UTC Modified: 2005-02-02 13:01 UTC
From: Jared dot Williams1 at ntlworld dot com Assigned: dmitry
Status: Closed Package: SOAP related
PHP Version: 5CVS-2005-01-28 (dev) OS: Windows 2000/IIS
Private report: No CVE-ID:
 [2005-01-28 19:46 UTC] Jared dot Williams1 at ntlworld dot com
This is related to

Using the php5.0-win32-200501280930 snapshot, still seem unable to use Digest Authentication against

Request Headers:
POST /tvlistings/xtvdService HTTP/1.1
Connection: Keep-Alive
User-Agent: PHP SOAP 0.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:TMSWebServices:xtvdWebService#download"
Content-Length: 584
Authorization: Basic *******************

Does appear to be sending Basic authentication details, even thou the service requests only digest. (Security issue).

WWW-Authenticate	Digest realm="TMSWebServiceRealm", nonce="********************************************************************************", opaque="****************", algorithm=MD5, qop="auth"

Reproduce code:
	$client = new SoapClient('xtvd.wsdl', array(
								'trace'      => 1,					'exceptions' => 0,					'login' => USER,				'password' => PASSWORD));

	$result = $client->download(time() - 60*3, time() + 60*60*12);
	echo "<pre>\n";
	echo "Response Headers:\n", htmlspecialchars($client->__getLastResponseHeaders()), "\n";
	echo "Response:\n", htmlspecialchars($client->__getLastResponse()),"\n";
	echo "</pre>";

Expected result:
XML listings

Actual result:
Response Headers:
HTTP/1.1 100 Continue
Date: Fri, 28 Jan 2005 18:41:23 GMT
Server: Orion/2.0.2

<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD><BODY><H1>401 Unauthorized</H1></BODY></HTML>


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-02 11:39 UTC]
Fixed in CVS (HEAD and PHP_5_0).

Please verify me. I haven't login on

With new version you can use additional otpion 'authentication' => SOAP_AUTHENTICATION_DIGEST in SoapClient constructor.

This option is not necessary, however without it SOAP will first try to login using basic authentication and then using digest authentication.
 [2005-02-02 13:01 UTC] Jared dot Williams1 at ntlworld dot com
Using php5-win32-200502021130 snapshot.

Now works, with the authentication option present, or missing.

Response Headers:
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 02 Feb 2005 11:58:04 GMT
Content-Type: text/xml; charset=utf-8
Server: Orion/2.0.2

<?xml version='1.0' encoding='utf-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV='' xmlns:xsd='' xmlns:xsi='' xmlns:SOAP-ENC=''>

<xtvdResponse xsi:type='ns1:xtvdResponse'>
<messages xsi:type='ns1:messages'>
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Wed Oct 07 02:01:31 2015 UTC