You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steven Stromer <fi...@stevenstromer.com> on 2008/01/10 22:25:47 UTC

[users@httpd] Automated digest authentication possible?

Hi,

It's a bit of a challenge to determine where to post this question;  
while I mention PHP, my problem really concerns the digest  
authentication mechanism, so I am trying here, where the mechanism is  
probably best understood.

I'm trying to edit a php application that generates postscript files  
from html pages pages, html2ps/pdf (http://www.tufat.com/ 
script19.htm), to automatically authenticate with an apache server  
using digest authentication. Conceptually, while any visiting client  
can interact with the application, the page requests that the  
application itself makes appear to the web server to be originating  
from the application, and not from the client's browser. Thus, as far  
as I can tell, it becomes necessary for the application to be able to  
complete the authentication process entirely autonomously, creating a  
'digest authentication session' (as I'll call it) that the end user  
does not necessarily even need to have access to.

I've reviewed the digest authentication example provided on the PHP  
Manual page titled, 'HTTP authentication with PHP' (http://us.php.net/ 
features.http-auth), and can certainly see how to build the necessary  
reply headers once the web server has accepted a username and  
password. However, the following things confuse me:

1. I'm not sure how to automatically provide the response to the  
server's initial 'HTTP/1.0 401 Unauthorized' response. With basic  
authentication this can easily be skipped by forming a request in the  
format: user:password@host.domain.tld, but this obviously doesn't  
work with digest authentication.

2. I'm not sure how the php application itself creates or maintains  
its own session.

3. Logically, the $_SERVER['PHP_AUTH_DIGEST'] variable then could not  
even contain the correct username, nonce, etc., because this would  
only be able to reflect the 'session' data of the end client, and not  
the data of the 'session' created by the application itself.

If anyone can even provide some theory, I could likely produce the  
necessary code, though any sample code, or pointers to such samples,  
would be greatly appreciated! So far, my searches have met with  
little success.

Thanks,
Steven Stromer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org