NTLM Authentication — Get Windows login, domain and host in PHP

I am working on a Single Sign-On (SSO) PHP application.
Users log in their Windows session, and they want to be automatically logged in the application with their Windows account (connected with LDAP Active Directory).

I tried this script :

This script is working on this configuration :

• Windows server 2003
• Apache 2.2 with module mod_auth_sspi

But now I need to implement this on this configuration and it does not work :

• Windows server 2008
• Apache 2.4.6 with module mod_authnz_sspi

I keep getting «NTLM Flag error!», because of this condition :

because ord($chained64[13]) returns 130, but I can not go in this condition :

Because ord($chained64<8>) always returns 1.

I tried executing the ‘whoami’ command in php, like this : echo exec(‘whoami’); -> when I execute this command in cmd.exe, I get the current logged user, but when I execute it in PHP, I get nt_authority/system.

I supposed that when PHP executes the ‘whoami’ command, Windows checks the login of Apache service. I went into Apache properties, in the ‘Log On’ tab, to log on as a valid user of the Active Directory. But then, when PHP executes echo exec(‘whoami’); , I only get the login used for Apache, and not the current user.

I am using Internet Explorer 8 to execute the PHP script.

I have this in my Apache httpd.conf ( _PATH_ is the path to my php files, maybe this is wrong ?) :

Options None AllowOverride All Order allow,deny Allow from all AuthName «SSPI Protected Place» AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On SSPIOmitDomain On Require valid-user

I am logged as a domain user on the machine

When I try with Firefox, I get a prompt for a login and a password. When I post the prompt, the script gets the login from the prompt, but this is not what I want to do : I have to get this to work with IE, and I don’t want to type again login and password. I want the login of the current Windows session.

In Firefox, I went into about:config to set network.automatic-ntlm-auth.trusted-uris to my domain, thanks to @ThaDafinser. Now I do not get a prompt anymore in Firefox and everything works, but I always need to make it work on IE.

In IE, I set Local Intranet Security to the lowest, but nothing changed.

In IE, «Automatic logon with current user name and password» is checked for Local Intranet & Trusted Sites.

When I force IE to ask credentials in a prompt, if I post the prompt, IE does not return the credentials, contrary to Firefox.

I added the URL to trusted sites in IE, nothing changed.

I set security to low for trusted sites, nothing changed.

I unchecked «Use HTTP 1.1 through proxy connections» in IE > Internet Options > Advanced, I still can not have session informations on Internet Explorer, even if I use the prompt.

I added the full URL in Internet Explorer > Internet Options > Security > Local Intranet > Sites > Advanced

In Internet Explorer > Internet Options > Security > Local Intranet > Sites > Advanced, I also added the same part of the domain (mycompany.com) than I have added in Firefox to make it work, but this did not help.

Changed my httpd.conf to be compatible with Apache 2.4, according to what @timclutton said in his answer :

I tried to set a basic authentication intead of SSPI and it does not work.

AuthType Basic AuthName «Authentication Required» AuthUserFile «E:/PATH/.htpasswd» Require valid-user

HTTP-аутентификация в PHP

Возможно использовать функцию header() для отправки сообщения «Authentication Required» браузеру, заставив его показать окошко для ввода логина и пароля. Как только пользователь заполнит логин и пароль, ссылка, содержащая PHP-скрипт будет вызвана ещё раз с предопределёнными переменными PHP_AUTH_USER , PHP_AUTH_PW и AUTH_TYPE , установленными в логин, пароль и тип аутентификации соответственно. Эти предопределённые переменные хранятся в массиве $_SERVER . Поддерживаются оба типа: «Basic» и «Digest» (начиная с версии PHP 5.1.0). Подробнее смотрите функцию header() .

Пример фрагмента скрипта, который вынуждает клиента авторизоваться для просмотра страницы:

Пример #1 Пример Basic HTTP-аутентификации

Пример #2 Пример Digest HTTP-аутентификации

Это пример реализации простого скрипта Digest HTTP-аутентификации. За подробностями обращайтесь к » RFC 2617.

//user => password
$users = array( ‘admin’ => ‘mypass’ , ‘guest’ => ‘guest’ );

if (empty( $_SERVER [ ‘PHP_AUTH_DIGEST’ ])) <
header ( ‘HTTP/1.1 401 Unauthorized’ );
header ( ‘WWW-Authenticate: Digest realm=»‘ . $realm .
‘»,qop=»auth»,nonce=»‘ . uniqid (). ‘»,opaque=»‘ . md5 ( $realm ). ‘»‘ );

die( ‘Текст, отправляемый в том случае, если пользователь нажал кнопку Cancel’ );
>

// анализируем переменную PHP_AUTH_DIGEST
if (!( $data = http_digest_parse ( $_SERVER [ ‘PHP_AUTH_DIGEST’ ])) ||
!isset( $users [ $data [ ‘username’ ]]))
die( ‘Неправильные данные!’ );

// генерируем корректный ответ
$A1 = md5 ( $data [ ‘username’ ] . ‘:’ . $realm . ‘:’ . $users [ $data [ ‘username’ ]]);
$A2 = md5 ( $_SERVER [ ‘REQUEST_METHOD’ ]. ‘:’ . $data [ ‘uri’ ]);
$valid_response = md5 ( $A1 . ‘:’ . $data [ ‘nonce’ ]. ‘:’ . $data [ ‘nc’ ]. ‘:’ . $data [ ‘cnonce’ ]. ‘:’ . $data [ ‘qop’ ]. ‘:’ . $A2 );

if ( $data [ ‘response’ ] != $valid_response )
die( ‘Неправильные данные!’ );

// все хорошо, логин и пароль верны
echo ‘Вы вошли как: ‘ . $data [ ‘username’ ];

// функция разбора заголовка http auth
function http_digest_parse ( $txt )
<
// защита от отсутствующих данных
$needed_parts = array( ‘nonce’ => 1 , ‘nc’ => 1 , ‘cnonce’ => 1 , ‘qop’ => 1 , ‘username’ => 1 , ‘uri’ => 1 , ‘response’ => 1 );
$data = array();
$keys = implode ( ‘|’ , array_keys ( $needed_parts ));

preg_match_all ( ‘@(‘ . $keys . ‘)=(?:([\'»])([^\2]+?)\2|([^\s,]+))@’ , $txt , $matches , PREG_SET_ORDER );

foreach ( $matches as $m ) <
$data [ $m [ 1 ]] = $m [ 3 ] ? $m [ 3 ] : $m [ 4 ];
unset( $needed_parts [ $m [ 1 ]]);
>

return $needed_parts ? false : $data ;
>
?>

Замечание: Замечание касательно совместимости

Будьте особенно внимательны при указании HTTP-заголовков. Для того, чтобы гарантировать максимальную совместимость с наибольшим количеством различных клиентов, слово «Basic» должно быть написано с большой буквы «B», регион (realm) должен быть взят в двойные (не одинарные!) кавычки, и ровно один пробел должен предшествовать коду 401 в заголовке HTTP/1.0 401. Параметры аутентификации должны разделяться запятыми, как это было показано в примере Digest аутентификации выше.

Вместо простого отображения на экране переменных PHP_AUTH_USER и PHP_AUTH_PW , вам, возможно, понадобится проверить их корректность. Используйте для этого запрос к базе данных или поиск пользователя в dbm-файле.

Вы можете пронаблюдать особенности работы браузера Internet Explorer. Он очень требователен к параметру передаваемых заголовков. Трюк с указанием заголовка WWW-Authenticate перед отправкой статуса HTTP/1.0 401 пока что работает для него.

Замечание: Замечание касательно конфигурации

PHP использует указание директивы AuthType для указания того, используется внешняя аутентификация или нет.

Следует заметить, что все вышесказанное не предотвращает похищения паролей к страницам, требующим авторизацию, кем-либо, кто контролирует страницы без авторизации, расположенные на том же сервере.

И Netscape Navigator и Internet Explorer очищают кеш аутентификации текущего окна для заданного региона (realm) при получении от сервера статуса 401. Это может использоваться для реализации принудительного выхода пользователя и повторного отображения диалогового окна для ввода имени пользователя и пароля. Некоторые разработчики используют это для ограничения авторизации по времени или для предоставления кнопки «Выход».

Пример #3 Пример HTTP-аутентификации с принудительным вводом новой пары логин/пароль

function authenticate () <
header ( ‘WWW-Authenticate: Basic realm=»Test Authentication System»‘ );
header ( ‘HTTP/1.0 401 Unauthorized’ );
echo «Вы должны ввести корректный логин и пароль для получения доступа к ресурсу \n» ;
exit;
>

Добро пожаловать: » . htmlspecialchars ( $_SERVER [ ‘PHP_AUTH_USER’ ]) . «
» ;
echo «Предыдущий логин: » . htmlspecialchars ( $_REQUEST [ ‘OldAuth’ ]);
echo «

Это поведение не регламентируется стандартами HTTP Basic -аутентификации, следовательно, вы не должны зависеть от этого. Тестирование браузера Lynx показало, что Lynx не очищает кеш авторизации при получении от сервера статуса 401, и, нажав последовательно «Back», а затем «Forward» возможно открыть такую страницу, при условии, что требуемые атрибуты авторизации не изменились. Однако, пользователь может нажать клавишу ‘_’ для очистки кеша аутентификации.

Для того, чтобы добиться корректной работы HTTP-аутентификации в IIS сервере с CGI версией PHP, вы должны отредактировать конфигурационную настройку IIS под названием » Directory Security «. Щёлкните на надписи » Edit » и установите опцию » Anonymous Access «, все остальные поля должны остаться неотмеченными.

Замечание: Замечание касательно IIS:
Для того, чтобы HTTP-аутентификация корректно работала в IIS, в конфигурации PHP-опция cgi.rfc2616_headers должна быть установлена значением 0 (значение по умолчанию).

User Contributed Notes 44 notes

Workaround for missing Authorization header under CGI/FastCGI Apache:

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

Now PHP should automatically declare $_SERVER[PHP_AUTH_*] variables if the client sends the Authorization header.

This is the simplest form I found to do a Basic authorization with retries.

= array ( «mario» => «carbonell» );
$valid_users = array_keys ( $valid_passwords );

$user = $_SERVER [ ‘PHP_AUTH_USER’ ];
$pass = $_SERVER [ ‘PHP_AUTH_PW’ ];

if (! $validated ) <
header ( ‘WWW-Authenticate: Basic realm=»My Realm»‘ );
header ( ‘HTTP/1.0 401 Unauthorized’ );
die ( «Not authorized» );
>

// If arrives here, is a valid user.
echo «

Congratulation, you are into the system.

In case of CGI/FastCGI you would hot be able to access PHP_AUTH* info because CGI protocol does not declare such variables (that is why their names start from PHP) and server would not pass them to the interpreter. In CGI server should authenticate user itself and pass REMOTE_USER to CGI script after it.

So you need to «fetch» request headers and pass them to your script somehow.

In apache you can do it via environment variables if mod_env is installed.

Following construction in .htaccess copies request header «Authorization» to the env variable PHP_AUTH_DIGEST_RAW

SetEnvIfNoCase ^Authorization$ «(.+)» PHP_AUTH_DIGEST_RAW=$1

You can now access it via $_ENV.

Do not forget to strip auth type («Digest» in my case) from your env variable because PHP_AUTH_DIGEST does not have it.

If mod_env is not installed you probably have mod_rewrite (everyone has it because of «human readable URLs»).

You can fetch header and pass it as GET parameter using rewrite rule:

RewriteRule ^.*$ site.php?PHP_AUTH_DIGEST_RAW=% [NC,L]

Here HTTP request header Authorization would be acessible as PHP_AUTH_DIGEST_RAW via $_GET.

—
If you use ZF you probably use Zend_Auth_Adapter_Http to auth user.

It takes Authorization info using «Zend_Controller_Request::getHeader»
This method uses apache_request_header which is likely not to be accessible in old CGI/FastCGI installations or _$_SERVER[‘HTTP_ ] , so you need to put your authentication data, obtained via _GET or ENV to
_$_SERVER[‘HTTP_AUTHORIZATION’].
It will make ZF work transparently with you solution and I believe any other framework should work also

Simpler WorkAround for missing Authorization header under CGI/FastCGI available in Apache HTTP Server 2.4.13 and later

Please don’t enable Authorization header with Basic Authentication, is very insecure.

a link to http://logout:logout@ [ ‘HTTP_HOST’ ]; ?> /SECRET/ would force a fresh login for the /SECRET directory if no user logout with password logout exists.

[NOTE BY danbrown AT php DOT net: The following note was added by «Anonymous» on 01-APR-2010 (though we presume it’s not an April Fool’s Day joke).]

this logout method does not work 100% anymore, because of another bulls**t from M$:
http://support.microsoft.com/kb/834489

Good day.
Sorry for my english.
This example shows programming «LOGIN», «LOGOUT» and «RE-LOGIN».
This script must use in the protected pages.
For work this script the browser address string must be following:
«http://localhost/admin/?login» — for Login,
«http://localhost/admin/?logout» — for Logout,
«http://localhost/admin/?logout&login» — for Re-Login.
();

you have logged!

I came up with another approach to work around the problem of browsers caching WWW authentication credentials and creating logout problems. While most browsers have some kind of way to wipe this information, I prefer having my website to take care of the task instead of relying on the user’s sanity.

Even with Lalit’s method of creating a random realm name, it was still possible to get back into the protected area using the back button in Firefox, so that didn’t work. Here’s my solution:

Since browsers attach the credentials to specific URLs, use virtual paths where a component of the path is actually a PHP script, and everything following it is part of the URI, such as:

By choosing a different number for the last component of the URL, browsers can be tricked into thinking that they are dealing with a completely different website, and thus prompting the user for credentials again.

Note that using a random, unrestricted number will still allow the user to hit the back button to get back into the page. You should keep track of this number in a server-side file or database and regenerate it upon each successful login, so that the last number(s) become invalid. Using an invalid number might result in a 403 response or, depending on how you feel that day, a 302 to a nasty website.

Care should be taken when linking from the page generated in this case, since relative links will be relative to the virtual and non-existant directory rather than the true script directory.

Be careful using http digest authentication (see above, example 34.2) if you have to use the ‘setlocale’ function *before* validating response with the ‘http_digest_parse’ function, because there’s a conflict with \w in the pattern of ‘preg_match_all’ function :

In fact, as \w is supposed to be any letter or digit or the underscore character, you must not forgot that this may vary depending on your locale configuration (eg. it accepts accented letters in french).

Due to this different pattern interpretation by the ‘preg_match_all’ function, the ‘http_digest_parse’ function will always return a false result if you have modified your locale (I mean if your locale accepts some extended characters, see http://fr.php.net/manual/en/reference.pcre.pattern.syntax.php for further information).

IMHO, I suggest you not to use setlocale before having your authentication completed.

PS : Here’s a non-compatible setlocale declaration.
setlocale ( LC_ALL, ‘fr_FR’, ‘fr’, ‘FR’, ‘french’, ‘fra’, ‘france’, ‘French’, ‘fr_FR.ISO8859-1’ ) ;

Note that Microsoft has released a ‘security update’ which disables the use of username:password@host in http urls.

The methods described above which rely on this will no longer work in Microsoft browsers, sadly.

You can re-enable this functionality as described at

but your users will probably be unwilling to do this.

There are .htaccess which actually works for us (cPanel + phpsuexec) unless others failed. Perhaps it may help someone.

# PHP (CGI mode) HTTP Authorization with ModRewrite:
RewriteEngine on
RewriteCond % ^(.*)
RewriteRule ^(.*) — [E=HTTP_AUTHORIZATION:%1]

Then you need small piece of php code to parse this line and then everything will work like with mod_php:

if (isset($_SERVER[‘HTTP_AUTHORIZATION’]))
<
$ha = base64_decode( substr($_SERVER[‘HTTP_AUTHORIZATION’],6) );
list($_SERVER[‘PHP_AUTH_USER’], $_SERVER[‘PHP_AUTH_PW’]) = explode(‘:’, $ha);
unset $ha;
>

Back to the autherisation in CGI mode. this is the full working example:

# Create the .htaccess file with following contents:
# also you can use the condition (search at this page)
RewriteEngine on
RewriteRule .* — [E=REMOTE_USER:%,L]

# In the beginning the script checking the authorization place the code:

$userpass = explode(«:», $userpass);

if ( count($userpass) == 2 ) <
#this part work not for all.
#print_r($userpass);die; #

To force a logout with Basic Auth, you can change the Realm out from under them to a different Realm.

This forces a new set of credentials for a new «Realm» on your server.

You just need to track the Realm name with the user/pass and change it around to something new/random as they log in and out.

I believe that this is the only 100% guaranteed way to get a logout in HTTP Basic Auth, and if it were part of the docs a whole lot of BAD user-contributed comments here could be deleted.

Some servers won’t support the HTTP1.0 specification and will give an error 500 (for instance). This happened with a server where I uploaded an authentication script.

If it happens, you can try the HTTP1.1 header syntax :

( «WWW-Authenticate: Basic realm=\»My Realm\»» );
header ( ‘status: 401 Unauthorized’ );
?>

A simpler approach on the post of:
bernard dot paques at bigfoot dot com
24-Sep-2004 01:42

This is another «patch» to the PHP_AUTH_USER and PHP_AUTH_PW server variables problem running PHP as a CGI.

First of all don’t forget this fragment of code in your .htaccess (it’s the only thing you need to make it work with mod_rewrite):

= base64_decode ( substr ( $_SERVER [ «REMOTE_USER» ], 6 )) ;
if ( ( strlen ( $a ) == 0 ) || ( strcasecmp ( $a , «:» ) == 0 ))
<
header ( ‘WWW-Authenticate: Basic realm=»Private»‘ );
header ( ‘HTTP/1.0 401 Unauthorized’ );
>
else
<
list( $name , $password ) = explode ( ‘:’ , $a );
$_SERVER [ ‘PHP_AUTH_USER’ ] = $name ;
$_SERVER [ ‘PHP_AUTH_PW’ ] = $password ;

echo ‘PHP_AUTH_USER =’ . $_SERVER [ ‘PHP_AUTH_USER’ ] . ‘
‘ ;
echo ‘PHP_AUTH_PW =’ . $_SERVER [ ‘PHP_AUTH_PW’ ] . ‘
‘ ;
echo ‘REMOTE_USER =’ . $_SERVER [ ‘REMOTE_USER’ ] . ‘
‘ ;
?>

First, we decode the base64 encoded string discarding the first 6 characters of «Basic » and then we do a regular validation.
At the end of the script we print the variables to verify it’s working. This should be ommited in the production version.

It’s a variation of the script by Bernard Paques.
Thanks to him for that snippet.

= ‘test_login’ ;
$pass = ‘test_pass’ ;

if(( $_SERVER [ ‘PHP_AUTH_PW’ ]!= $pass || $_SERVER [ ‘PHP_AUTH_USER’ ] != $login )|| ! $_SERVER [ ‘PHP_AUTH_USER’ ])
<
header ( ‘WWW-Authenticate: Basic realm=»Test auth»‘ );
header ( ‘HTTP/1.0 401 Unauthorized’ );
echo ‘Auth failed’ ;
exit;
>
?>

For PHP with CGI, make sure you put the rewrite rule above any other rewrite rule you might have.

In my case, I put this at the top of the .htaccess (below RewriteEngine On):
RewriteRule .* — [E=REMOTE_USER:%]

My symptom was that the REMOTE_USER (or REDIRECT_REMOTE_USER in my case) was not being set at all.
The cause: I had some other RewriteRule that was kickin in and was set as LAST rule.
I hope this helps.

The regex in http_digest_parse from Example #2 does not work for me (PHP 5.2.6), because back references are not allowed in a character class. This worked for me:

// function to parse the http auth header
function http_digest_parse ( $txt )
<
// protect against missing data
$needed_parts = array( ‘nonce’ => 1 , ‘nc’ => 1 , ‘cnonce’ => 1 , ‘qop’ => 1 , ‘username’ => 1 , ‘uri’ => 1 , ‘response’ => 1 );
$data = array();

foreach ( $matches as $m ) <
$data [ $m [ 1 ]] = $m [ 2 ] ? $m [ 2 ] : ( $m [ 3 ] ? $m [ 3 ] : $m [ 4 ]);
unset( $needed_parts [ $m [ 1 ]]);
>

return $needed_parts ? false : $data ;
>

I used Louis example (03-Jun-2006) and it works well for me (thanks).

However, I added some lines, to make sure, the user does only get the Authentification-Window a few times:

= mt_rand ( 1 , 1000000000 ). «@YourCompany» ;
$_SESSION [ ‘realm’ ] = $realm ;

// In the beginning, when the realm ist defined:
$_SESSION [ ‘CountTrials’ ] = 1 ;
?>

And then when it comes to check the authentification (ZEND-Tutorial):

// Not more than 3 Trials
if (! $auth ) <
$_SESSION [ ‘CountTrials’ ]++;
if ( $_SESSION [ ‘CountTrials’ ] == 4 ) <
session_destroy () ;
header ( ‘Location: noentry.php’ );
exit ;
> else <
header ( «WWW-Authenticate: Basic realm=» . $_SESSION [ ‘realm’ ]);
header ( «HTTP/1.0 401 Unauthorized» );
echo ‘Authorization Required.’ ;
exit;
>
> else <
echo ‘

You are authorized!

‘ ;
>
?>

noentry.php is slightely different from comeagain.php.

It forces a auth each time the page is accessed:
(maybe can save someone)

Here is my attempt to create a digest authentication class that will log the user in and out without using a cookie,session,db,or file. At the core is this simple code to parse the digest string into variables works for several browsers.
// explode the digest with multibrowser support by Tony Wyatt 21jun07
public function explodethedigest ( $instring ) <
$quote = ‘»‘ ;
$equal = ‘=’ ;
$comma = ‘,’ ;
$space = ‘ ‘ ;
$a = explode ( $comma , $instring );
$ax = explode ( $space , $a [ 0 ]);
$b = explode ( $equal , $ax [ 1 ], 2 );
$c = explode ( $equal , $a [ 1 ], 2 );
$d = explode ( $equal , $a [ 2 ], 2 );
$e = explode ( $equal , $a [ 3 ], 2 );
$f = explode ( $equal , $a [ 4 ], 2 );
$g = explode ( $equal , $a [ 5 ], 2 );
$h = explode ( $equal , $a [ 6 ], 2 );
$i = explode ( $equal , $a [ 7 ], 2 );
$j = explode ( $equal , $a [ 8 ], 2 );
$k = explode ( $equal , $a [ 9 ], 2 );
$l = explode ( $equal , $a [ 10 ], 2 );
$parts = array( trim ( $b [ 0 ])=> trim ( $b [ 1 ], ‘»‘ ), trim ( $c [ 0 ])=> trim ( $c [ 1 ], ‘»‘ ), trim ( $d [ 0 ])=> trim ( $d [ 1 ], ‘»‘ ), trim ( $e [ 0 ])=> trim ( $e [ 1 ], ‘»‘ ), trim ( $f [ 0 ])=> trim ( $f [ 1 ], ‘»‘ ), trim ( $g [ 0 ])=> trim ( $g [ 1 ], ‘»‘ ), trim ( $h [ 0 ])=> trim ( $h [ 1 ], ‘»‘ ), trim ( $i [ 0 ])=> trim ( $i [ 1 ], ‘»‘ ), trim ( $j [ 0 ])=> trim ( $j [ 1 ], ‘»‘ ), trim ( $k [ 0 ])=> trim ( $k [ 1 ], ‘»‘ ), trim ( $l [ 0 ])=> trim ( $l [ 1 ], ‘»‘ ));

return $parts ;
>
?>
Give it a try at http://www.creativetheory.ca/ /tests/ta1.php Log in with user test password pass or user guest password guest. Go to page two for links to the code. Comments, ideas, suggestions, or critique welcome.

To anybody who tried the digest example above and didn’t get it to work.

For me the problem seemed to be the deprecated use of ‘\’ (backslash) in the regex instead of the ‘$’ (Dollar) to indicate a backreference. Also the results have to be trimmed off the remaining double and single quotes.

Here’s the working example:

// function to parse the http auth header
function http_digest_parse($txt)
<

// protect against missing data
$needed_parts = array(‘nonce’=>1, ‘nc’=>1, ‘cnonce’=>1, ‘qop’=>1, ‘username’=>1, ‘uri’=>1, ‘response’=>1);
$data = array();

foreach ($matches as $m) <
$data[$m[1]] = $m[3] ? trim($m[3],»\»,'») : trim($m[4],»\»,'»);
unset($needed_parts[$m[1]]);
>

return $needed_parts ? false : $data;
>

Probably there’s a more sophisticated way to trim the quotes within the regex, but I couldn’t be bothered 🙂

I tried example 7, and at first I couldn’t get it to work. It took me a while to spot that somewhere along the line, probably by the server, a seemingly random number was being added to the realm — so the valid_result variable wasn’t calculated using the correct realm.

To get around this, or any similar problems, make the following changes to the example:

Around line 43 (44 if after next step 😉 ):
$needed_parts = array(‘nonce’=>1, ‘nc’=>1, ‘cnonce’=>1, ‘qop’=>1, ‘username’=>1, ‘uri’=>1, ‘response’=>1, ‘realm’=>1);

Before line 24:
$realm = $data[‘realm’];

These two steps get the real realm used for the authentication request, and substitute it into the «valid_response» query.

Hope this helps 🙂

To get it to work with IIS try using this code before setting your «$auth = 0» and the «if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW))»

The only effective way I’ve found to wipe out the PHP_AUTH_DIGEST or PHP_AUTH_USER AND PHP_AUTH_PW credentials is to call the header HTTP/1.1 401 Unauthorized.

function clear_admin_access() <
header(‘HTTP/1.1 401 Unauthorized’);
die(‘Admin access turned off’);
>

Well, I think it’s easy to make authentification works correctly. I use a session var to force authentication everytime a user visit the logging area.

if (!isset ( $_SESSION [ ‘firstauthenticate’ ])) <
session_start ();
>
function authenticate () <
header ( ‘WWW-Authenticate: Basic realm=»Sistema autentificaci?n UnoAutoSur»‘ );
header ( ‘HTTP/1_0 401 Unauthorized’ );
// header(«Status: 401 Access Denied»);
echo «Unauthorized\n» ;
exit;
>
if (!isset( $_SERVER [ ‘PHP_AUTH_USER’ ]) || strcmp ( $_SERVER [ ‘PHP_AUTH_USER’ ], $user )!= 0 ||
!isset ( $_SERVER [ ‘PHP_AUTH_PW’ ]) || strcmp ( $_SERVER [ ‘PHP_AUTH_PW’ ], $pass )!= 0 || !isset ( $_SESSION [ ‘firstauthenticate’ ]) || ! $_SESSION [ ‘firstauthenticate’ ]) <
$_SESSION [ ‘firstauthenticate’ ]= true ;
authenticate ();
> else <
//I destroy the session var now
session_unset ();
//Your code below
>
?>

You shouldn’t use the «last» («L») directive in the RewriteRule! This will prevent all further rewrite rules to be skipped whenever a Basic or Digest Auth is given, which is almost certainly not what you want.

So the following lines are sufficient for the .htaccess (or httpd.conf) file:

RewriteEngine On
RewriteRule .* — [E=HTTP_AUTHORIZATION:%]

I couldn’t get authentication to work properly with any of the examples. Finally, I started from ZEND’s tutorial example at:
http://www.zend.com/zend/tut/authentication.php?article=authentication (validate using .htpasswd) and tried to deal with the additional cases. My general conclusion is that changing the realm is the only reliable way to cause the browser to ask again, and I like to thank the person who put that example in the manual, as it got me on the right path. No matter what, the browser refuses to discard the values that it already has in mind otherwise. The problem with changing the realm, of course, is that you don’t want to do it within a given session, else it causes a new request for a password. So, here goes, hopefully the spacing isn’t too messed up by the cut’n’paste.

I spent the better part of a day getting this to work right. I had a very hard time thinking through what the browser does when it encounters an authentication request: seems to me that it tries to get the password, then reloads the page. so the HTML doesn’t get run. At least, this was the case with IE, I haven’t tested it with anything else.

() ;
if (!isset( $_SESSION [ ‘realm’ ])) <
$_SESSION [ ‘realm’ ] = mt_rand ( 1 , 1000000000 ).
» SECOND level: Enter your . COMPANY. password.» ;

header ( «WWW-Authenticate: Basic realm=» . $_SESSION [ ‘realm’ ] );

// Below here runs HTML-wise only if there isn’t a $_SESSION,
// and the browser *can’t* set $PHP_AUTH_USER. normally
// the browser, having gotten the auth info, runs the page
// again without getting here.
// What I’m basically getting to is that the way to get
// here is to escape past the login screen. I tried
// putting a session_destroy() here originally, but the
// problem is that the PHP runs regardless, so the
// REFRESH seems like the best way to deal with it.
echo » » ;
exit;
>

if ( $_POST [ ‘logout’ ] == «logout» ) <
session_destroy () ;
header ( ‘Location: comeagain.php’ );
exit ;
>

// «standard» authentication code here, from the ZEND tutorial above.

comeagain . php is as follows :

session_start ();
unset( $_SESSION [ ‘realm’ ]);
session_destroy ();
echo » Logged Out