php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68380 Problem with HTTP authentication with PHP
Submitted: 2014-11-08 18:41 UTC Modified: 2014-11-11 07:50 UTC
From: thomaxz at gmail dot com Assigned:
Status: Not a bug Package: HTTP related
PHP Version: Irrelevant OS: Unkowen
Private report: No CVE-ID: None
 [2014-11-08 18:41 UTC] thomaxz at gmail dot com
Description:
------------
First of the, I use an online web hosting server so can't upgrade anything. PHP 5.3

When using Example 2 in the HTTP authentication with PHP article
it works first, but when wrong creditnals is neter, it will be wrong forever.

Which makes the user not able to login.

Test script:
---------------
$realm = "Hurra 2";

//user => password
$users = array('tcx' => 'yesmrsir');

if (empty($_SERVER['PHP_AUTH_DIGEST'])) {

    header('WWW-Authenticate: Digest realm="'.$realm.
           '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    header($_SERVER["SERVER_PROTOCOL"].' 401 Unauthorized');

	$txts='<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"><html><head><title>403 Forbidden</title></head><body>';
	$txts.='<h1>Forbidden</h1><p>You don\'t have permission to access ny.php on this server.</p><hr>';
	$txts.='<address>Apache Server at example.com Port 80</address></body></html>';
	
	die($txts);
}

// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
    !isset($users[$data['username']]))
    header('WWW-Authenticate: Digest realm="'.$realm.
           '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    header($_SERVER["SERVER_PROTOCOL"].' 401 Unauthorized');       
    die('Wrong Credentials!');
    var_dump($_SERVER['PHP_AUTH_DIGEST']);
    
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);

if ($data['response'] != $valid_response)
    die('Wrong Credentials!');

// ok, valid username & password
echo 'You are logged in as: ' . $data['username'];


//comment reae change
// function to parse the http auth header
function http_digest_parse($txt)
{
   
    // protect against missing data
    $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
    $data = array();

    preg_match_all('@(\w+)=(?:([\'"])([^$2]+)$2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
   
    foreach ($matches as $m) {
        $data[$m[1]] = $m[3] ? trim($m[3],"\",'") : trim($m[4],"\",'");
        unset($needed_parts[$m[1]]);
    }
   
    return $needed_parts ? false : $data;
}

Expected result:
----------------
the user is able to renter creditals and then login.

Actual result:
--------------
the script show

wrong crenditals and not show new login box

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-11-09 00:51 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2014-11-09 00:51 UTC] requinix@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

You've made modifications to the example code so this isn't the right place to get help with it.
But I will tell you that you're (at least) missing some {}s with the "analyze the PHP_AUTH_DIGEST variable" check.
 [2014-11-11 07:43 UTC] thomaxz at gmail dot com
If I missing some {} in analyze the PHP_AUTH_DIGEST 

then I don't understand, it its exactly as it is written in the manual.

if so your have a bug in your manual.
 [2014-11-11 07:50 UTC] requinix@php.net
> it its exactly as it is written in the manual.
No. It most certainly is not.

Your code is

// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
    !isset($users[$data['username']]))
    header('WWW-Authenticate: Digest realm="'.$realm.
           '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    header($_SERVER["SERVER_PROTOCOL"].' 401 Unauthorized');       
    die('Wrong Credentials!');
    var_dump($_SERVER['PHP_AUTH_DIGEST']);

The manual's code is

// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
    !isset($users[$data['username']]))
    die('Wrong Credentials!');
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 30 15:01:23 2021 UTC