Shulou(Shulou.com)06/02 Report--

This article focuses on "the HTTP authentication mechanism of PHP". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "PHP's HTTP authentication mechanism".

HTTP Verification of PHP

In daily development, when we log in, in most cases, we will use session to save the user login information, and use this as a basis to determine whether the user has logged in. But in fact, HTTP also provides this kind of login authentication mechanism, so let's learn about HTTP authentication today.

HTTP Basicif (! isset ($_ SERVER ['PHP_AUTH_USER'])) {

Header ('WWW-Authenticate: Basic realm= "My Realm"')

Header ('HTTP/1.0 401 Unauthorized')

Echo 'Text to send if user hits Cancel button'

Exit

} else {

Echo "

Hello {$_ SERVER ['PHP_AUTH_USER']}.

"

Echo "

You entered {$_ SERVER ['PHP_AUTH_PW']} as your password.

"

}

/ / Authorization: Basic YWFhOmFhYQ==

Echo base64_decode ('YWFhOmFhYQ==')

/ / aaa:aaa equals plaintext

Or just start with the code, the above code is the simplest way of HTTP authentication, if $_ SERVER ['PHP_AUTH_USER'] does not exist, then we send a 401 response header to the browser to tell the browser that we need login authentication. When the browser receives this response header, it pops up a verification box that comes with the browser and asks for a user name and password.

When we fill in the user name and password, the browser will put the Authorization field in the request header and send the user name and password after base64. Meanwhile, PHP will resolve the user name and password to\ $_ SERVER ['PHP_AUTH_USER'] and $_ SERVER [' PHP_AUTH_PW'], respectively.

The above authentication method is the simplest HTTP Basic authentication, you can see that the user name and password verified in this way is actually equivalent to plaintext transmission, because base64 can be easily parsed in reverse. So this approach is very unsafe. So is there a more complicated way?

HTTP Digest

Now that it is written in this way, there must be a better way, that is, HTTP authentication in the way of HTTP Digest.

$realm = 'Restricted area'

/ / user = > password

$users = array ('admin' = >' mypass', 'guest' = >' guest')

/ / specify Digest authentication method

If (empty ($_ SERVER ['PHP_AUTH_DIGEST']) | |! $_ COOKIE [' login']) {

Setcookie ('login', 1); / / logout condition judgment

Header ('HTTP/1.1 401 Unauthorized')

Header ('WWW-Authenticate: Digest realm='. $realm.

", qop=" auth ", nonce=". Uniqid (). "opaque=". Md5 ($realm). '")

/ / if the user does not enter the password, click cancel.

Die ('you clicked cancel, unable to log in')

}

/ / verify user login information

If (! ($data = http_digest_parse ($_ SERVER ['PHP_AUTH_DIGEST'])) | |

! isset ($users [$data ['username']]) {

Die ('Wrong credentials')

}

/ / verify login information

$A1 = md5 ($data ['username']. ':. $realm. ':. $users [$data ['username']])

$A2 = md5 ($_ SERVER ['REQUEST_METHOD']. ':. $data ['uri'])

$valid_response = md5 ($A1. ':. $data ['nonce']. ':. $data ['nc']. ':. $data ['cnonce']. ':. $data ['qop']. ':. $A2)

/ / $data ['response'] is the encrypted content of the browser client

If ($data ['response']! = $valid_response) {

Die ('Wrong credentials')

}

/ / username and password verification succeeded

Echo 'your login user is:'. $data ['username']

Setcookie ("login", 2)

/ Authorization: Digest username= "guest", realm= "Restricted area", nonce= "5e815bcbb4eba", uri= "/", response= "9286ea8d0fac79d3a95fff3e442d6d79", opaque= "cdce8a5c95a1427d74df7acbf41c9ce0", qop=auth, nc=00000002, cnonce= "a42e137359673851"

/ / the nonce value in the server reply message, plus username,password, http method, http uri use MD5 (or other algorithm specified by the server) to calculate request-digest as the value of the repsonse header domain

/ / obtain login information

Function http_digest_parse ($txt)

{

/ / echo $txt

/ / protect against missing data

$needed_parts = array ('nonce' = > 1,' nc' = > 1, 'cnonce' = > 1,' qop' = > 1, 'username' = > 1,' uri' = > 1, 'response' = > 1)

$data = array ()

$keys = implode ('|', array_keys ($needed_parts))

Preg_match_all (@ (). $keys. ') = (?: ([\' "]) ([^\ 2] +)\ 2 | ([^\ s,] +) @', $txt, $matches, PREG_SET_ORDER)

Foreach ($matches as $m) {

$data [$m [1]] = $m [3]? $m [3]: $m [4]

Unset ($needed_parts [$m [1]])

}

Return $needed_parts? False: $data

}

If ($_ GET ['logout']) {

Setcookie ("login", 0)

Header ("Location: /")

}

From the amount of code, we can see that this approach is much more complicated. First of all, we also need to return the 401 response header without logging in, telling the browser that we are going to do Digest authentication. Here the header information is different, the format is Digest, the content is much more than Basic, these extra content is what we need to use when verifying the authentication content.

Then, the browser will also pop up to enter the user name and password pop-up window. Then submit the encrypted user name and password information. We can see that there is a clear text username in the return value, but there is no clear text password. In fact, the password is generated after md5 encryption through username, password, nonce, nc, cnoce, cop, $_ SERVER ['REQUEST_METHOD'], uri and so on, and is submitted in the response field. We also need to follow the same rules to get the encrypted password for comparison to determine that the user name and password are correct so that the user can complete the normal login process.

In this code, we add a cookie, which is used to determine the login exit. Because the expiration time of this form of HTTP authentication is based on the browser. That is, if the client closes the browser, the user name and password saved in the memory of the client browser will disappear. In this case, we can only log out through cookie. If the user logs out, change the content of the cookie and resend the 401 response header to the browsing request to log in again.

Summary

Generally speaking, this operation of HTTP verification will not be used as a normal login function in our daily development. In most cases, we will add a layer of HTTP authentication to the background or some special management tools to achieve double authentication, that is, to ensure the data security of the background. For example, I will add a layer of certification to my phpMyAdmin. In addition, HTTP authentication can also be configured directly in Nginx or Apache, and there is no need to go to the PHP layer, which we will explain when we learn Nginx in the future.

Test code: https://github.com/zhangyue0503/dev-blog/blob/master/php/202003/source/PHP%E7%9A%84HTTP%E9%AA%8C%E8%AF%81.php

Reference document: https://www.php.net/manual/zh/features.http-auth.php

At this point, I believe you have a deeper understanding of "PHP's HTTP authentication mechanism". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.