PHP Classes

PHP HTTP Basic Authentication: Handle requests that require user authentication

Recommend this page to a friend!
  Info   View files Example   View files View files (15)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog    
Ratings Unique User Downloads Download Rankings
Not enough user ratingsTotal: 183 All time: 8,660 This week: 129Up
Version License PHP version Categories
php-httpauth 1.0.0GNU Free Document...5HTTP, PHP 5, User Management, Security
Description 

Author

This package can handle requests that require user authentication.

It processes the current HTTP request and generates headers that make the browser request the user to authenticate on behalf a given user using either the HTTP basic and digest authentication methods.

Applications should extend a class provided in this package to process the different steps of authentication like determining if the current user credentials are valid, or generate a user session token value.

Picture of Kevin Muret
Name: Kevin Muret <contact>
Classes: 1 package by
Country: France France
Age: 34
All time rank: 4187106 in France France
Week rank: 312 Up15 in France France Up

Example

<?php
;namespace KevinMuret\HttpAuth
;define('HTTPAUTHDIR', '../httpauth/src')
;require_once
HTTPAUTHDIR."/Digest.php"
;
class
HttpAuth extends Digest {
   
// List of users and passowrds
   
private $users_pwds = array(
       
'test' => 'foobar'
   
)
    ;
   
// Method to check if user has been already logged are not ?
    // (Bypass the call to ->getSecret())
   
public function isLogged(){
        ;return
array_key_exists('logged', $_SESSION)
        ;
    }
   
// Method to fetch secret token (according given Digest parameters)
   
public function getSecret($digest){
       
// Check that username is not empty and exists
       
;return ($username = $digest['username']) && array_key_exists($username, $this->users_pwds)
       
// For example this generate the secret token to be stored in secured application.
       
? $this->createSecret($username, $this->users_pwds[$username]) : null
       
;
    }
}

// Start session before instanciate because ->isLogged() wil be called at this time
;session_name("SDIGESTID")
;
session_start()
// If authorization already started ('nonce' value must be re-used)
;if (array_key_exists('auth_nonce', $_SESSION))
   
$auth = new HttpAuth(null, $_SESSION['auth_nonce'], $_SESSION['auth_secret'])
// If not initalize session variables with a generated 'nonce' value
;else if ($auth = new HttpAuth())
   
// Should be completely reseted (ex: in case of others methods elsewhere on the same domain)
   
$_SESSION = array('auth_nonce' => $auth->nonce(), 'auth_secret' => null)
// Check authentication status
;switch ($auth->status){
case
$auth::NOTLOGGED:
   
// Make sure there is no bypass to this login system
   
;if (array_key_exists('logged', $_SESSION))
        unset(
$_SESSION['logged'])
   
// Ask for autorization (HTTP Code: 401)
   
;$auth->ask()
    ;break
    ;
case
$auth::JUSTLOGGED:
   
// Login were just made !
   
;$_SESSION['logged'] = $_SERVER['REQUEST_TIME']
    ;
$_SESSION['auth_secret'] = $auth->secret()
    ;
case
$auth::LOGGED:// Or previously logged !
   
;echo "Logged successfully !"
   
;break
    ;
case
$auth::FAILED:
default:
    ;
session_destroy()// Keep temporary files cleaner
    // 401 Code needed for re-asking password (keeping the parameters)
   
;http_response_code(401)
    ;echo
"Login failed !"
   
;break
    ;
}
;


Details

Here is a set of PHP classes to handle Basic/Digest HTTP Authentication. Each class depends each others incrementally : <code>DigestSess extends DigestQOP extends Digest extends Basic</code> (the most left is the strongest but the slowest, Basic mean no security).

Tests and examples

Look at the <code>tests/</code> directory to get an example of working and commented scripts using <code>$_SESSION</code> of each class.

Use the following command to copy tests files to your web server with accompagned <code>.htaccess</code> file to test mutiple uris like <code>://localhost:80/path_to/www_*[0-9]+\.php</code> (you must have <code>bash</code>).

./copy_tests.sh path_to_webserver_directory

Quick Description

A property <code>$realm</code> can be overridden, it should describe a group/type of authorization, in <code>Basic</code> it have no impact unless you decide it, but for <code>Digest</code> it will have one.

Use <code>$data</code> property to add extra data when authorization is asked.

Other properties are overridable but you must know what you do. Actually it's possible to use other hash algorithm than MD5 and MD5-sess but browsers doesn't support it yet if i'm not wrong.

Use <code>->ask()</code> method to ask authorization using <code>header()</code> function (output of the script should be empty).

Each class can require an <code>->isLogged()</code> method (only if a <code>$secret</code> is provided since the user is authenticated) which determine if the client were already logged or not. It will also bypass the call to <code>->isAuthorized()</code> and for Digest <code>->getSecret()</code> too because it will be called from the internally declared <code>->isAuthorized()</code> method.

The Basic class require an <code>->isAuthorized()</code> method wich must use of PHP global variables (<code>$_SERVER['PHP_AUTH_USER']</code> and <code>$_SERVER['PHP_AUTH_PW']</code>) to authenticate the client.

The Digest classes require a <code>->getSecret($digest)</code> method wich will receive the digest parameters as array and will retreive from any source (ex: MySQL database) a secret token to be used for authentication.

The Digest classes have an <code>->createSecret($username, $pass)</code> which generate the secret token to be stored to use with the current <code>$realm</code> of the instance, it's the same for all variants so you can for example offer to you users the choose of one of the 3 way to authenticate with no need to store differents secret tokens.

Also note that the <code>Digest</code> classes are using an <code>http_parse_params()</code> function to parse Digest params which can be overriden by the <code>pecl_http</code> extension (not tested !).

Usage

Include one of the class you want to use :

require_once "src/Basic.php"

Define a Class wich extend one of the base class (Basic/Digest/DigestQOP/DigestSess).

For <code>Basic</code> write a class like this :

class HttpAuth extends KevinMuret\HttpAuth\Basic {
  public function isLogged()// Return a boolean (Check if it has already been logged).
  public function isAuthorized()// Return a boolean (Check if user exists and the password is valid).
}

For any one of the <code>Digest</code> familly write a class like this :

class HttpAuth extends KevinMuret\HttpAuth\Digest {
  public function isLogged()// Return a boolean (Check if it has already been logged)
  public function getSecret($digest)// Return a string (Retreive the secret token for the specified user reading value of 'username' key from $digest array)
}

In your scripts instance it this way for <code>Basic</code> (with an optional <code>$realm</code> value).

$auth = new HttpAuth($realm)

For <code>Digest</code> it's a little bit more sofisticated because there is at least two more parameters that have to be given when authorization has been asked before. Important: On first creation (when user has not been asked for authorization) <code>$secret</code> must be NULL and <code>$nonce</code> can be manually generated (if NULL or not provided <code>uniqid()</code> is used), for the next one request (when user has just typed his username and password) only the <code>$nonce</code> must be provided with the one generated previously for the user, on later requests the secret should be provided (if not it will be retreived again using <code>->getSecret($digest)</code>, it can help save performance using the <code>->isLogged()</code> which should be faster).

$auth = new HttpAuth($realm, $nonce, $secret)

And for <code>DigestQOP</code> and <code>DigestSess</code> there is one more which is the request counter (it's recommand to increment it just before).

$auth = new HttpAuth($realm, $nonce, ++$nc, $secret)

For <code>Digest</code> classes you will have next to store somewhere the <code>$nonce</code> using <code>->nonce()</code> method to retreive it, and for QOP and Sess variants you have to initialize a counter (with zero value) which will be incremented and used for comparaison with the <code>$nc</code> given by the client (this will generate different header on each request and increase security).

For next you should look at the <code>$status</code> property which can be one of these 4 constants :

  • <code>$auth::NOTLOGGED</code> Login should be asked here.
  • <code>$auth::FAILED</code> Authentication has failed !
  • <code>$auth::JUSTLOGGED</code> Login should be started here. (For <code>Digest</code> you have to store the <code>$secret</code> using <code>->secret()</code> method to retreive it.
  • <code>$auth::LOGGED</code> Login were successfull !

TODO


  Files folder image Files  
File Role Description
Files folder imagesrc (5 files)
Files folder imagetests (8 files)
Accessible without login Plain text file copy_tests.sh Aux. Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation

  Files folder image Files  /  src  
File Role Description
  Plain text file Basic.php Class Class source
  Plain text file Digest.php Class Class source
  Plain text file DigestQOP.php Class Class source
  Plain text file DigestSess.php Class Class source
  Accessible without login Plain text file http_parse_params.func.php Aux. Auxiliary script

  Files folder image Files  /  tests  
File Role Description
  Accessible without login Plain text file .htaccess Data Auxiliary data
  Accessible without login Plain text file www_basic.php Example Class source
  Accessible without login Plain text file www_digest.php Example Class source
  Accessible without login Plain text file www_digestbis.php Example Class source
  Accessible without login Plain text file www_digestqop.php Example Class source
  Accessible without login Plain text file www_digestqopbis.php Example Class source
  Accessible without login Plain text file www_digestsess.php Example Class source
  Accessible without login Plain text file www_digestsessbis.php Example Class source

 Version Control Unique User Downloads Download Rankings  
 100%
Total:183
This week:0
All time:8,660
This week:129Up