Custom Digest Authentication

4
votes
  • I've made a Http module for digest authentication. On the server, on every request for a page this module check for existing of 'authenticate' header. If this header doesn't exist the user will get 401 message.
  • On the client side, I'm using the jQuery plugin for Digest authentication.

For know I have the flowing functionality:

  1. The user enter username and password in two input fields (not in the browser Http Authentication prompt)
  2. With jQuery I'm making ajax call to some protected page on the server. This ajax call is based on the Digest Http protocol. That means I'm adding authenticate header with username, noncecount, clientnonce, MD5 hashed password and etc.
  3. Then the server response with 200 message :)

If the user go to another page it will get "401 access denied" because there isn't authenticate header in that request. And that is the problem.

  • If I go with the standard digest protocol, then the browser automatically add authorization header in every request and I don't have this problem. But I'm using on this way because I don't what the user to fill his credentials in the browser Http Authentication dialog. We want to have our custom dialog. In the jQuery DigestJ plugin the header is called 'authenticate' instead of 'authorization' and the protocol is called DigestJ instead of Digest. That way I don't get the browsers Http Dialog for entering credentials when the server response with 401 message. We can't use form authentication.
  • I can store user credentials on the client side with jQuery session plugin, but how to modify the Http headers on every request? I need to add 'authenticate' header and to insert the credentials from the session.
1
jqueryauthenticationdigest
Did you ever find a good way of doing this? I'm looking at a similar issue?BillMan

1 Answers

1
votes

I'm using basic HTTP authentication to consume REST web services from a joomla component and my users don't have to type in anything (the only have to log in on joomla once). I just grab the user already logged in and then i send it to my web service using CURL

    $ch = curl_init();
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
//$username and $pass are the vars that will be used for authentication you can get them from your session or a cookie or in my case i got them from joomla JFactory::getUser()->username and JFactory::getUser()->password
        curl_setopt($ch, CURLOPT_USERPWD, JFactory::getUser()->username.':'.JFactory::getUser()->password);
    //here comes the important thing
        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response=curl_exec($ch);

On the other side you just have to check $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] against your database and you're done

if (!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']==''||!isset($_SERVER['PHP_AUTH_PW'])||$_SERVER['PHP_AUTH_PW']=='') {
    header('WWW-Authenticate: Basic realm="Something"');
    header('HTTP/1.0 401 Unauthorized');
   echo 'You must be a valid user to access this contents';
   exit;
} else {
       // go to your database check they are valid and return whatever you want to return
}