Skip to content

Instantly share code, notes, and snippets.

@kirilkirkov
Last active October 10, 2024 06:00
Show Gist options
  • Save kirilkirkov/74a011747111d4f8e8b8a7d7638e16e8 to your computer and use it in GitHub Desktop.
Save kirilkirkov/74a011747111d4f8e8b8a7d7638e16e8 to your computer and use it in GitHub Desktop.
Auth Digest And Basic. Digest Authentication communicates credentials in an encrypted form. Whereas Basic Authentication uses non-encrypted base64 encoding.
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
$headers = apache_request_headers(); // Also can be viewed in apache request
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
<?php
$realm = 'Restricted area';
//user => password
$users = array('admin' => 'mypass', 'guest' => 'guest');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('Text to send if user hits Cancel button');
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
!isset($users[$data['username']]))
die('Wrong Credentials!');
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response)
die('Wrong Credentials!');
// ok, valid username & password
echo 'You are logged in as: ' . $data['username'];
// function to parse the http auth header
function http_digest_parse($txt)
{
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
@kirilkirkov
Copy link
Author

HTTP Digest Access Authentication
Digest Access Authentication uses the hashing(i.e digest means cut into small pieces) methodologies to generate the cryptographic result. HTTP Digest access authentication is a more complex form of authentication that works as follows:

STEP 1 : a client sends a request to a server
STEP 2 : the server responds with a special code (called a nonce i.e. number used only once), another string representing the realm(a hash) and asks the client to authenticate
STEP 3 : the client responds with this nonce and an encrypted version of the username, password and realm (a hash)
STEP 4 : the server responds with the requested information if the client hash matches their own hash of the username, password and realm, or an error if not

HTTP Basic Access Authentication

STEP 1 : the client makes a request for information, sending a username and password to the server in plain text
STEP 2 : the server responds with the desired information or an error

Basic Authentication uses base64 encoding(not encryption) for generating our cryptographic string which contains the information of username and password. HTTP Basic doesn’t need to be implemented over SSL, but if you don’t, it isn’t secure at all. So I’m not even going to entertain the idea of using it without.

@kirilkirkov
Copy link
Author

The Basic and Digest schemes are dedicated to the authentication using a username and a secret.
The Bearer scheme is dedicated to the authentication using a token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment