You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steven Stromer <fi...@stevenstromer.com> on 2008/01/10 22:25:47 UTC
[users@httpd] Automated digest authentication possible?
Hi,
It's a bit of a challenge to determine where to post this question;
while I mention PHP, my problem really concerns the digest
authentication mechanism, so I am trying here, where the mechanism is
probably best understood.
I'm trying to edit a php application that generates postscript files
from html pages pages, html2ps/pdf (http://www.tufat.com/
script19.htm), to automatically authenticate with an apache server
using digest authentication. Conceptually, while any visiting client
can interact with the application, the page requests that the
application itself makes appear to the web server to be originating
from the application, and not from the client's browser. Thus, as far
as I can tell, it becomes necessary for the application to be able to
complete the authentication process entirely autonomously, creating a
'digest authentication session' (as I'll call it) that the end user
does not necessarily even need to have access to.
I've reviewed the digest authentication example provided on the PHP
Manual page titled, 'HTTP authentication with PHP' (http://us.php.net/
features.http-auth), and can certainly see how to build the necessary
reply headers once the web server has accepted a username and
password. However, the following things confuse me:
1. I'm not sure how to automatically provide the response to the
server's initial 'HTTP/1.0 401 Unauthorized' response. With basic
authentication this can easily be skipped by forming a request in the
format: user:password@host.domain.tld, but this obviously doesn't
work with digest authentication.
2. I'm not sure how the php application itself creates or maintains
its own session.
3. Logically, the $_SERVER['PHP_AUTH_DIGEST'] variable then could not
even contain the correct username, nonce, etc., because this would
only be able to reflect the 'session' data of the end client, and not
the data of the 'session' created by the application itself.
If anyone can even provide some theory, I could likely produce the
necessary code, though any sample code, or pointers to such samples,
would be greatly appreciated! So far, my searches have met with
little success.
Thanks,
Steven Stromer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org