HTTP Digest Implementation in PHP

While following leads from Zend’s weekly summary, ran in Thomas Pike’s HTTP Digest Class: http://www.xiven.com/sourcecode/digestauthentication – a pure PHP implementation which relies on getallheaders() (i.e. requires Apache as well). Thomas introduces it here on his blog.

PHP comes with built in support for HTTP basic authentication but the problem there is, unless you’re using SSL (https), visitors will be sending passwords in clear text, which could be easily “sniffed” between their browser and your server.

HTTP Digest Authentication is a somewhat more secure mechanism, where, essentially, the server begins by sending a “seed” value to the browser, which the browser then uses to (one way) encrypt the password before sending.

Good to see this finally well-done in PHP.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.sitepoint.com/ mmj

    Thanks for the resources. Building something for digest authentication in my PHP applications has been something I’ve wanted to do for quite a while – now I can get a head start!

  • S

    How about retrieving a URL protected by HTTP Digest Auth, using PHP?

    I’m using file_get_contents($url), but one particular URL is protected using HTTP Digest Authentication. How can I overcome this?

    Thanks!

  • sacx13

    Hi,

    From php5 file_get_contents have a context parameter. You can set the context with stream_create_context and set the Basic Authorization there.

    Regards

  • max

    hi

    I was trying to get digest authentication working on lighttpd server while processing response in javascript. But whenever server replies with 401 browser pops up login box which i dont want. Is there any way that i can get nonce & realm from server & pass it to javascript instead of browser….