All geek questions in one place

User Digest Authentication

  • I created an Http module for digest authentication. On the server, each time a page is requested, this module checks for the existence of an existing "authenticate" header. If this header does not exist, the user will receive message 401.
  • On the client side, I use the jQuery plugin to test Digest.

Know that I have current functionality:

  • The user enters the username and password in two input fields (not at the Http Authentication prompt) of the browser
  • With jQuery, I am making an ajax call to some secure page on the server. This ajax call is based on the Digest Http protocol. This means that I am adding an authentication header with username, noncecount, clientnonce, MD5 hashed password, etc.
  • Then the server response with message 200 :)

If the user goes to another page, he will receive a “401 rejection” because there is no authentication header in this request. And that is the problem.

  • If I go with the standard digest protocol, then the browser automatically adds an authorization header in each request, and I don't have this problem. But I use this way because I do not want the user to fill in his credentials in the browser Http Authentication dialog box. We want to have our user dialog. In the jQuery DigestJ plugin, the header is called “authenticate” instead of “authorization”, and the protocol is called DigestJ instead of Digest. Thus, I do not get the Http Dialog browser to enter credentials when the server responds with a message of 401. We cannot use authentication.
  • I can store client-side user credentials using the jQuery session plugin, but how do I change the Http headers for each request? I need to add the "authenticate" header and insert the credentials from the session.
+4
source share
1 answer

I use basic HTTP authentication to use REST web services from the joomla component, and my users should not enter anything (you only need to log in to Joomla only once). I just pick up the user who has already registered, and then send it to my web service using CURL

$ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); //$username and $pass are the vars that will be used for authentication you can get them from your session or a cookie or in my case i got them from joomla JFactory::getUser()->username and JFactory::getUser()->password curl_setopt($ch, CURLOPT_USERPWD, JFactory::getUser()->username.':'.JFactory::getUser()->password); //here comes the important thing curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response=curl_exec($ch);

On the other hand, you just need to check $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] for your database, and you're done

 if (!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']==''||!isset($_SERVER['PHP_AUTH_PW'])||$_SERVER['PHP_AUTH_PW']=='') { header('WWW-Authenticate: Basic realm="Something"'); header('HTTP/1.0 401 Unauthorized'); echo 'You must be a valid user to access this contents'; exit; } else { // go to your database check they are valid and return whatever you want to return }
+1
source

Source: https://habr.com/ru/post/1344241/

More articles:


All Articles