Comments for "Auth_HTTP_Digest"

» Submit Your Comment
Comments are only accepted during the "Proposal" phase. This proposal is currently in the "Finished" phase.
» Comments
  • Yavor Shahpasov  [2004-02-18 23:28 UTC]

    Link provided does not work.
    Could this be added to the Auth_HTTP rather than releasing a new package for this. I believe that is the proper place for it.

    --Yavor Shahpasov
  • Paul Querna  [2004-02-20 05:06 UTC]

    In the $algorithm doc you say:
    * hash algorithm (MD5|MD5-sess)

    However MD5-sess does not seem to be properly supported. Therefore it should not be a valid argument for the algorithum.

    apache_request_headers - It would be nice to allow this code to work from CGI based PHP. Im not sure it is completely possible, but alternatives should be investigated.

    On line 210:
    if ($_SERVER['REQUEST_URI'] == $auth['uri']) {

    If you look in the Apache implementation[1] in mod_auth_digest.c:
    if (strcmp(resp->uri, resp->raw_request_uri)) {
    /* Hmm, the simple match didn't work (probably a proxy modified the
    * request-uri), so lets do a more sophisticated match

    It then goes on todo a detailed comparison of the URLs. It seems that Apache's implementation should be followed.

    Why does this module support both Basic and Digest, when it is named 'Auth_HTTP_Digest'. This doesn't make any sense.
    Also, you should error out if a client is sending Basic Auth to a digest protected area. This is how Apache behaves. If you want the Package to support both Digest and Basic, I would suggest first renaming the Package, and 2nd allowing the user to set a flag 'force digest only'.

    $this->username is passed into an sql query on line 274 without any escaping. $this->username is taken directly from the HTTP Headers. SQL Injection Attack is just waiting to happen.

    [1] -
  • Paul Querna  [2004-02-21 18:53 UTC]

    Few more things :)

    if the Force Digest Flag is set, you should never send this:
    'WWW-Authenticate: Basic realm="'.$this->basicRealm.'"';

    What Browser Clients have you tested your implmentation with? My gut feel based on exerpiences with mod_auth_digest in apache say that it will not work with Internet Explorer. Mozilla might not work on Post requests. Konqueror should work properly.

    It would be cool if you had a document listing known compatible/incompatible browsers. Unfortunately the RFC is not always clear and there are several existing implmentations that don't work with each other.

    Thanks for your work on the module, it does look like it will be very usefull.

  • Paul Querna  [2004-02-25 03:32 UTC]

    In the Readme:
    Confirmed browsers:
    - Internet Explorer 6.0SP1
    - Mozilla Firefox 0.8 for MS-Windows
    - Mozilla Firefox 0.8 for Linux

    Did you just test Simple Gets?

    I recommend having tests for:
    - Simple Get
    - Get w/ Query Strings
    - Posts
    - Big Posts
    - Posts w/ Query Strings.