In daily development, during user login, session is used in most cases to save user login information and judge whether the user has logged in based on it. However, HTTP also provides this kind of login authentication mechanism, we will learn about HTTP authentication.
HTTP Basic
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP / 1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
// Authorization: Basic YWFhOmFhYQ==
echo base64_decode('YWFhOmFhYQ==');
// aaa:aaa equals plaintext
Copy the code
If $_SERVER[‘PHP_AUTH_USER’] does not exist, then we send a 401 response header to the browser to tell the browser that we need login authentication. When the browser receives this response header, a browser validation box pops up and asks for a user name and password.
When we fill in the username and password, the browser takes the Authorization field in the request header and sends the username and password after Base64. At the same time, PHP will parse the username and password into \ SERVER[‘ PHPAUTHUSER ‘] and _SERVER[‘PHP_AUTH_USER’] and SERVER[‘ phpAuth_PW ‘] respectively.
This authentication method is the simplest HTTP Basic authentication, and you can see that the user name and password authenticated in this way are the plaintext equivalent, because Base64 can be easily reversed. So it’s very unsafe. So is there a more complicated way?
HTTP Digest
There must be a better way to do this: HTTP authentication over HTTP Digest.
$realm = 'Restricted area';
//user => password
$users = array('admin'= >'mypass'.'guest'= >'guest');
// Specify the Digest authentication mode
if (empty($_SERVER['PHP_AUTH_DIGEST') | |!$_COOKIE['login']) {
setcookie('login'.1); // Determine the login conditions
header('HTTP / 1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm .
'",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm).'"');
// If the user does not enter the password click cancel
die('You can't log in because you clicked cancel.');
// Verify user login information
if(! ($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST')) | |!isset($users[$data['username']]) {die('Wrong Credentials! ');
// Verify login information
$A1 = md5($data['username'].':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'].':' . $data['nc'].':' . $data['cnonce'].':' . $data['qop'].':' . $A2);
// $data['response'] is the browser client's encrypted content
if ($data['response'] != $valid_response) {
die('Wrong Credentials! ');
// The user name and password are successfully verified
echo 'Your login user is:' . $data['username'];
// Authorization: Digest username="guest", realm="Restricted area", nonce="5e815bcbb4eba", uri="/", response="9286ea8d0fac79d3a95fff3e442d6d79", opaque="cdce8a5c95a1427d74df7acbf41c9ce0", qop=auth, nc=00000002, cnonce="a42e137359673851"
// The server replies with the nonce value, plus username, password, HTTP method, and HTTP URI, using MD5 (or any other algorithm specified by the server) to calculate the Request-digest as the repsonse header field value
// Get the login information
function http_digest_parse($txt)
// echo $txt;
// protect against missing data
$needed_parts = array('nonce'= >1.'nc'= >1.'cnonce'= >1.'qop'= >1.'username'= >1.'uri'= >1.'response'= >1);
$data = array(a);$keys = implode('|', array_keys($needed_parts));
preg_match_all('@ (' . $keys . ') = (? ([\ '"]) ([^ \] 2 +? \2|([^\s,]+))@'.$txt.$matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3]?$m[3] : $m[4];
return $needed_parts ? false : $data;
header("Location: /");
Copy the code
As you can see from the amount of code, this approach is much more complicated. The first is that we also need to return a 401 response header telling the browser that we want to authenticate Digest without logging in. Now, the header is a little bit different, it’s in Digest format, and it has a lot more content than Basic, and that’s all the extra content that you’re going to need when you’re trying to authenticate something.
Next, the browser will also pop up a user name and password window. The encrypted username and password information is then submitted. We can see that the return value has the plaintext username, but no plaintext password. The password is generated by md5 encryption of username, password, Nonce, NC, CNOCE, COP, $_SERVER[‘REQUEST_METHOD’], URI, etc. Submitted in the Response field. We also need to follow the same rules to obtain the encrypted password for comparison to determine the correct user name and password so that users can complete the normal login process.
In this code, we have added a cookie, which is used for logging out. This is because the expiration time of HTTP authentication is browser-based. That is, if the client closes the browser, the user name and password stored in the browser memory will disappear. In this case, we can only log out through cookie. If the user logs out, we will change the content of the cookie and re-send the 401 response header to browse for re-login.
HTTP authentication of this operation is generally not as our daily development of the normal login function, in most cases, we will give the background or some special management tools to add a layer of HTTP authentication to achieve double authentication, that is, in order to ensure the security of the background data. For example, I would add a layer of this authentication to my phpMyAdmin. In addition, HTTP authentication can be configured directly in Nginx or Apache without having to go all the way to PHP, which we will cover when we learn about Nginx.
Test code:…
Reference documents:…