PHP 摘要验证、注销
有没有办法注销在 php.ini 中完成的摘要身份验证?
我尝试过 unset($_SERVER["PHP_AUTH_DIGEST"]); 但它不会要求重新登录。 我知道如果我关闭浏览器,它就会工作,这是我的功能。
function login(){
$realm = "Restricted area";
$users = array("jamesm"=>"");
if (empty($_SERVER["PHP_AUTH_DIGEST"])) {
header("HTTP/1.1 401 Unauthorized");
header("WWW-Authenticate: Digest realm=\"{$realm}\",qop=\"auth\",nonce=\"".uniqid()."\",opaque=\"".md5($realm)."\"");
return false;
}
if (!($data = http_digest_parse($_SERVER["PHP_AUTH_DIGEST"])) || !isset($users[$data["username"]]))
return false;
$A1 = md5($data["username"] . ":{$realm}:{$users[$data["username"]]}");
$A2 = md5($_SERVER["REQUEST_METHOD"].":{$data["uri"]}");
$valid_response = md5("{$A1}:{$data["nonce"]}:{$data["nc"]}:{$data["cnonce"]}:{$data["qop"]}:{$A2}");
if ($data["response"] != $valid_response)
return false;
return true;
}
function logout(){
unset($_SERVER["PHP_AUTH_DIGEST"]);
return true;
}
我还需要在注销功能中添加什么才能完成此操作。
如果我改变领域它可以工作,但我不希望它被改变。
Is there a way to logout of a digest authentication done in php.
I have tried unset($_SERVER["PHP_AUTH_DIGEST"]);
But it wont ask to relogin.
I know if i close the browser then it will work and here are my functions.
function login(){
$realm = "Restricted area";
$users = array("jamesm"=>"");
if (empty($_SERVER["PHP_AUTH_DIGEST"])) {
header("HTTP/1.1 401 Unauthorized");
header("WWW-Authenticate: Digest realm=\"{$realm}\",qop=\"auth\",nonce=\"".uniqid()."\",opaque=\"".md5($realm)."\"");
return false;
}
if (!($data = http_digest_parse($_SERVER["PHP_AUTH_DIGEST"])) || !isset($users[$data["username"]]))
return false;
$A1 = md5($data["username"] . ":{$realm}:{$users[$data["username"]]}");
$A2 = md5($_SERVER["REQUEST_METHOD"].":{$data["uri"]}");
$valid_response = md5("{$A1}:{$data["nonce"]}:{$data["nc"]}:{$data["cnonce"]}:{$data["qop"]}:{$A2}");
if ($data["response"] != $valid_response)
return false;
return true;
}
function logout(){
unset($_SERVER["PHP_AUTH_DIGEST"]);
return true;
}
What more do i need to add to the logout function to finish this off.
If i change the realm it works but i don't want it to be changed.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
取消设置 $_SERVER['PHP_AUTH_DIGEST'] 将不会产生任何效果。问题是,对于您设定的任务来说,并没有真正的“好”答案。
HTTP 规范在技术上不允许这样做,但实际上,如果您向他们发送另一个 401,大多数浏览器将有效地“注销用户”。根据 php.net/http-auth:
从您的代码来看,最简单的方法可能类似于:
但是,这实际上并不是 HTTP 规范认可的方法。
Unsetting $_SERVER['PHP_AUTH_DIGEST'] will have no effect. The problem is, there's not really a "good" answer to the task you've set.
The HTTP specification doesn't technically allow for it, but in practice, most of the browsers out there will effectively "log the user out" if you send them another 401. Per php.net/http-auth:
From your code, the simplest method is probably something like:
but, again, this is not actually something approved of by the HTTP specification.
权威答案:http://tools.ietf.org/ id/draft-ietf-httpbis-p7-auth-12.txt - 第 6.1 节
没有可靠的办法。
一些解决方法包括伪造 401 并更改领域 =,或使用故意无效的凭据确认 AJAX 身份验证请求。
Authoritative answer: http://tools.ietf.org/id/draft-ietf-httpbis-p7-auth-12.txt - section 6.1
There is no reliable way.
Some workarounds include faking a 401 and changing the realm=, or acknowledging an AJAX auth request with purposefully invalid credentials.