HTTP DIGEST AUTH问题

I have been using http digest auth for my API for a long time, seemingly it worked as I expected.

However it appears to error and prompt for re-auth three times. On the fourth it just logs the user for the email sent (as username) even though the passwords wrong

Im slightly confused as to why it doesnt keep re-authing until a valid password is sent.

    <?php


    class Model_Authentication_Init {


    const REALM = 'theaudienceauth';

    protected $user_id = NULL;
    protected $user_permissions = array();
    protected $user;
    protected $db;

    public static $instance;
    const ADMIN_PERMISSION_ID = 1;


    public function __construct() {
        $this->db = Zend_Registry::get('db');
    }


    public static function getInstance() {

        if (!isset(self::$instance)) {
            self::$instance = new self();
        }
        return self::$instance;
    }


    protected function extractData() {

        $realm = self::REALM;

        if (empty ( $_SERVER ['PHP_AUTH_DIGEST'] )) {
            header ( 'HTTP/1.1 401 Unauthorized' );
            header ( 'WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid () . '",opaque="' . md5 ( $realm ) . '"' );
            exit ();
            die ( 'Text to send if user hits Cancel button' );
        }

        //be careful username on account isnt the same as username in the db also, later
        $data = http_digest_parse ( $_SERVER ['PHP_AUTH_DIGEST'] );
        return $data;
    }


    protected function validateData($data, $password) {

        $realm          = self::REALM;
        $A1             = md5 ( $data ['username'] . ':' . $realm . ':' . $password );
        $A2             = md5 ( $_SERVER ['REQUEST_METHOD'] . ':' . $data ['uri'] );
        $valid_response = md5 ( $A1 . ':' . $data ['nonce'] . ':' . $data ['nc'] . ':' . $data ['cnonce'] . ':' . $data ['qop'] . ':' . $A2 );

        if ($data ['response'] != $valid_response) {
            die ( 'Wrong Credentials!' );
        }
    }


    public function authData($data) {

        if (isset ($data ['username'])) {
            $account_q          = $this->db->query (" SELECT `id`, `encrypted_password` FROM `User` WHERE `email` = '".$data['username']."' AND `enabled` = 1 AND deleted = 0 ");
            $account            = $account_q->fetch ( PDO::FETCH_OBJ );
            $account_q->closeCursor();

            if (is_object ( $account )) {
                $password_fetched = decrypt_password ( $account->encrypted_password ); //@todo might need to decr.

                if (! defined ( 'CONNECTED_ACCOUNT_ID' )) {
                    define ( 'CONNECTED_ACCOUNT_ID', $account->id );
                }

                $_SESSION ['logged_in']             = 1;
                $_SESSION ['CONNECTED_ACCOUNT_ID']  = $account->id;
                $_SESSION ['email']                 = $data['username'];
                $user_permissions                   = Model_User_Permission::listing ( $account->id );
                $_SESSION['user_permissions']       = $user_permissions;
                $user_id                            = $account->id;
                $account                            = NULL;
            } else {
                die ( 'Could not auth with details passed: email: ' . $data ['username'] );
            }
        }

        $this->user_id              = $user_id;
        $this->user_permissions     = $user_permissions;
        return array($user_id, $user_permissions, $password_fetched);
    }


    /**
     * Main auth method
     * @throws Model_Exception_Application
     */
    public function auth() {

        $userId             = NULL;
        $user_permissions   = NULL;

        if (! isset ( $_SESSION ['logged_in'] ) || $_SESSION ['logged_in'] != 1) {

            $data = $this->extractData();
            list($userId, $user_permissions, $password_fetched) = $this->authData($data);

            // analyze the PHP_AUTH_DIGEST variable
            if (! ($data)) {
                throw new Model_Exception_Application ( 903 );
                die ( 'Wrong Credentials!' );
            }

            $this->validateData($data, $password_fetched);

        } else {
            if (! defined ( 'CONNECTED_ACCOUNT_ID' )) {
                define ( 'CONNECTED_ACCOUNT_ID', $_SESSION ['CONNECTED_ACCOUNT_ID'] );
            }
            $userId = $_SESSION ['CONNECTED_ACCOUNT_ID'];
            //if user permissions are not set to a session, set it
            $user_permissions = $_SESSION['user_permissions'] = Model_User_Permission::listing($userId);// isset($_SESSION['user_permissions']) && !empty($_SESSION['user_permissions']) ? $_SESSION['user_permissions'] : Model_User_Permission::listing($userId);
        }

        $this->user_id                  = $userId;
        $this->user = $_SESSION['user'] = Model_Baseclass::load_by_fields(array('table_name' => 'User', 'id' => $userId)); //isset($_SESSION['user']) && !empty($_SESSION['user']) ? $_SESSION['user'] : Model_Baseclass::load_by_fields(array('table_name' => 'User', 'id' => $userId));
        $this->user_permissions         = $user_permissions;
    }
}

The above is called by:

Model_Authentication_Init::getInstance($this->rest);

Edit: not sure what the cause was now, because it was a long time ago, but here we go:

<?php


class System_Authentication_Init {


    const REALM = 'auth';

    protected $user_permissions = array();
    protected $user;
    protected $db;

    public static $instance;
    const ADMIN_PERMISSION_ID = 1;


    public function __construct() {
        $this->db = Zend_Registry::get('db');
    }


    public static function getInstance() {

        if (!isset(self::$instance)) {
            self::$instance = new self();
        }
        return self::$instance;
    }


    protected function extractData() {

        $realm = self::REALM;

        if (empty ( $_SERVER ['PHP_AUTH_DIGEST'] )) {
            header ( 'HTTP/1.1 401 Unauthorized' );
            header ( 'WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid () . '",opaque="' . md5 ( $realm ) . '"' );
            exit ();
            die ( 'Text to send if user hits Cancel button' );
        }

        //be careful username on account isnt the same as username in the db also, later
        $data = http_digest_parse ( $_SERVER ['PHP_AUTH_DIGEST'] );
        return $data;
    }


    protected function validateData($data, $password) {

        $realm          = self::REALM;
        $A1             = md5 ( $data ['username'] . ':' . $realm . ':' . $password );
        $A2             = md5 ( $_SERVER ['REQUEST_METHOD'] . ':' . $data ['uri'] );
        $valid_response = md5 ( $A1 . ':' . $data ['nonce'] . ':' . $data ['nc'] . ':' . $data ['cnonce'] . ':' . $data ['qop'] . ':' . $A2 );

        if ($data ['response'] != $valid_response) {
            session_destroy();
            session_unset();
            session_regenerate_id();
            die ( 'Wrong Credentials!' );
        }
    }


    public function authData($data) {

        if (isset ($data ['username'])) {
            $accountQuery       = $this->db->query (" SELECT `id`, `encrypted_password` FROM `User` WHERE `email` = '".$data['username']."' AND `enabled` = 1 AND deleted = 0 ");
            $account            = $accountQuery->fetch ( PDO::FETCH_OBJ );
            $accountQuery->closeCursor();

            if (is_object ( $account )) {
                $passwordReturned = decrypt_password ( $account->encrypted_password );

                if (! defined ( 'CONNECTED_ACCOUNT_ID' )) {
                    define ('CONNECTED_ACCOUNT_ID', $account->id);
                }

                $_SESSION ['logged_in']             = 1;
                $_SESSION ['CONNECTED_ACCOUNT_ID']  = $account->id;
                $_SESSION ['email']                 = $data['username'];
                $user_permissions                   = Model_User_Permission::listing ( $account->id );
                $_SESSION['user_permissions']       = $user_permissions;
                $account                            = NULL;
            } else {
                die ( 'Could not auth with details passed: email: ' . $data ['username'] );
            }
        }

        $this->user_permissions = $user_permissions;
        return array($user_permissions, $passwordReturned);
    }


    /**
     * Main auth method
     * @throws System_Exception_Application
     */
    public function authenticate() {

        $user_permissions   = NULL;

        if (! isset ( $_SESSION ['logged_in'] ) || $_SESSION ['logged_in'] != 1) {

            $data = $this->extractData();
            list($user_permissions, $passwordReturned) = $this->authData($data);

            // analyze the PHP_AUTH_DIGEST variable
            if (! ($data)) {
                throw new System_Exception_Application ( 903 );
                die ( 'Wrong Credentials!' );
            }

            $this->validateData($data, $passwordReturned);

        } else {
            if (! defined ( 'CONNECTED_ACCOUNT_ID' )) {
                define ( 'CONNECTED_ACCOUNT_ID', $_SESSION ['CONNECTED_ACCOUNT_ID'] );
            }
            //if user permissions are not set to a session, set it
            $user_permissions = $_SESSION['user_permissions'] = Model_User_Permission::listing(CONNECTED_ACCOUNT_ID);// isset($_SESSION['user_permissions']) && !empty($_SESSION['user_permissions']) ? $_SESSION['user_permissions'] : Model_User_Permission::listing($userId);
        }

        $this->user = $_SESSION['user'] = Model_Baseclass::load_by_fields(array('table_name' => 'User', 'id' => CONNECTED_ACCOUNT_ID)); //isset($_SESSION['user']) && !empty($_SESSION['user']) ? $_SESSION['user'] : Model_Baseclass::load_by_fields(array('table_name' => 'User', 'id' => $userId));
        $this->user_permissions         = $user_permissions;
    }


    public function isAdmin() {

        if (!$this->user_permissions || empty($this->user_permissions) ) {
            $this->authenticate();
        }   

        if ($this->user_permissions) {
            foreach ($this->user_permissions as $user_permission) {
                if (isset($user_permission->{'permission_id'}) && $user_permission->{'permission_id'} == self::ADMIN_PERMISSION_ID) {
                    return true;
                }
            }
        }
        return false;
    }


    /**
     * returns user id
     * @return User id
     */
    public function getUserId() {
        return $this->user->id;
    }


    /* Added by aaron
     * returns the internal user object
     * */
    public function getUserObject() {
        Zend_Registry::set('user', $this->user);
        return $this->user;
    }


    /**
     * returns user permissions
     * @return _user_permissions User Permissions
     */
    public function getUserPermissions() {
        return $this->user_permissions;
    }


}

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

报告相同问题？

关注问题

使用官方文档中的PHP代码进行HTTP身份验证无法正常工作 php
2016-04-04 11:33

回答 1 已采纳 Browsers send credentials given before again on a new request. To ask the browsers for new credent
PHPMailer在某些情况下不起作用 php
2018-04-24 09:25

回答 2 已采纳 Set $mail->SMTPDebug = 2 to see the SMTP conversation, so you can be absolutely sure messages a
使用PHP POST到Web服务的摘要式身份验证的客户端部分 php
2013-09-06 19:13

回答 1 已采纳 Eventually solved it with cURL after 2 days' fumbling. I guess this is the first time a piece of r
http php digest,http,auth_PHP http Digest认证在 chrome 内核浏览器中不弹出认证框怎么解决？？，http,auth,php,javascript - ph...
2021-04-04 09:06

weixin_39785524的博客 PHP http Digest认证在 chrome 内核浏览器中不弹出认证框怎么解决？？php摘要认证(digest) 在 firefox 中或 ie浏览器中都能够正常弹出认证窗口，但是在 chrome内核的浏览器(例如：360安全浏览器) 中无法弹出认证...
如何使用PHP访问PritunlVPN API？ php
2014-10-01 02:35

回答 1 已采纳 <?php $BASE_URL = ""; $API_TOKEN = ""; $API_SECRET = ""; function auth_request($method, $p
PHP CURL GET / POST摘要式身份验证 php
2015-08-08 10:31

回答 1 已采纳 Instead of hitting first curl use get_headers($url). add Content-Type:application/json in header
Http Digest身份验证，处理不同的浏览器字符集 php
2010-02-12 06:40

回答 1 已采纳 The reason for my problem was a bug in FireFox. Just to answer and close this. Link: https://bugzi
http php digest,PHP的HTTP验证
2021-05-03 01:41

林瑞和的博客在日常开发中，我们进行用户登录的时候，大部分情况下都会使用 session 来保存用户登录信息，并以此为依据判断用户是否已登录。...isset($_SERVER['PHP_AUTH_USER'])) {header('WWW-Authenticate: Basic realm="M...
PHP file_get_contents“需要授权” php
2013-05-27 14:50

回答 1 已采纳 The OP's problem was due to choosing the wrong HTTP auth mechanism. Setting CURLOPT_AUTH to CURLAU
Phpmyadmin的PHP不执行，但其他PHP脚本工作 php
2013-05-07 16:10

回答 3 已采纳 First of all, what is the version of PHP? If other .php scripts work except for phpMyAdmin, the i
带有WCF BadContextToken的PHP Soap客户端 php
2014-01-19 15:47

回答 1 已采纳 I solved this some time ago, but never had time to make it more "nicer". So generally problem was
php getdigest,http digest
2021-04-15 14:25

暗黑达人的博客 HTTP digest摘要访问认证是一种协议规定的Web服务器用来同网页浏览器进行认证信息协商的方法。它在密码发出前，先对其应用哈希函数，这相对于HTTP基本认证发送明文而言，更安全。从技术上讲，摘要认证是使用随机数来...
php maverick htaccess未在端口上解析：8888 php
2014-03-20 18:15

回答 1 已采纳 The built-in HTTP server ran by php -S is not Apache, thus there's no .htaccess nor mod_rewrite or
PHP HTTP Digest校验
2021-01-26 14:36

ht408051054的博客 PHP作为客户端进行HTTP Digest校验 // 请求方法 $username = 'admin'; $password = 'admin123'; $uri = "api/cgi-bin/subscribe/picture"; $url = $this->url .$uri; $ch = curl_init(); curl_setopt($ch,...
模拟Digest认证的登录demo
2019-01-15 15:40

一个模拟http 401 Digest认证的登录海康NVR抓取摄像头列表的小demo
http请求digest auth认证
2022-09-21 08:52

qq_41975712的博客 http请求digest auth认证
http php digest,php Basic HTTP与Digest HTTP 应用
2021-05-03 01:41

土匪哥哥的博客 Basic HTTP 认证范例//...isset($_SERVER[‘PHP_AUTH_USER‘])) {header(‘WWW-Authenticate: Basic realm="test"‘);header(‘HTTP/1.0 401 Unauthorized‘);} else {if($_SERVER[‘PHP_AUTH_USER‘]==‘admin‘ &...
php curl digest,php curl with digest返回两个响应
2021-03-25 09:54

呼啸庄主的博客如果对标头使用-I选项,则看起来curl具有相同的行为：curl -I --digest -u root:somepassword http://localhost/digest-test/收益：HTTP/1.1 401 Authorization RequiredDate: Fri, 31 May 2013 13:48:35 GMTServer: ...
没有解决我的问题, 去提问

悬赏问题

¥15 微信会员卡等级和折扣规则
¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
¥15 随身WiFi网络灯亮但是没有网络，如何解决？
¥15 gdf格式的脑电数据如何处理matlab
¥20 重新写的代码替换了之后运行hbuliderx就这样了
¥100 监控抖音用户作品更新可以微信公众号提醒
¥15 UE5 如何可以不渲染HDRIBackdrop背景
¥70 2048小游戏毕设项目
¥20 mysql架构，按照姓名分表
¥15 MATLAB实现区间[a,b]上的Gauss-Legendre积分

码龄粉丝数原力等级 --

HTTP DIGEST AUTH问题

0条回答默认最新

悬赏问题

HTTP DIGEST AUTH问题

0条回答 默认 最新

悬赏问题

0条回答默认最新