PHP Digest身份验证，注销 [英] PHP Digest auth, logout

问题描述

是否有一种方法可以注销用php完成的摘要身份验证.

Is there a way to logout of a digest authentication done in php.

我尝试取消设置($ _SERVER ["PHP_AUTH_DIGEST"]); 但是它不会要求重新登录. 我知道如果我关闭浏览器，它将可以正常工作，这是我的功能.

I have tried unset($_SERVER["PHP_AUTH_DIGEST"]); But it wont ask to relogin. I know if i close the browser then it will work and here are my functions.

    function login(){
        $realm = "Restricted area";
        $users = array("jamesm"=>"");
        if (empty($_SERVER["PHP_AUTH_DIGEST"])) {
            header("HTTP/1.1 401 Unauthorized");
            header("WWW-Authenticate: Digest realm=\"{$realm}\",qop=\"auth\",nonce=\"".uniqid()."\",opaque=\"".md5($realm)."\"");
            return false;
        }
        if (!($data = http_digest_parse($_SERVER["PHP_AUTH_DIGEST"])) || !isset($users[$data["username"]]))
            return false;
        $A1 = md5($data["username"] . ":{$realm}:{$users[$data["username"]]}");
        $A2 = md5($_SERVER["REQUEST_METHOD"].":{$data["uri"]}");
        $valid_response = md5("{$A1}:{$data["nonce"]}:{$data["nc"]}:{$data["cnonce"]}:{$data["qop"]}:{$A2}");
        if ($data["response"] != $valid_response)
            return false;
        return true;
    }
    function logout(){
        unset($_SERVER["PHP_AUTH_DIGEST"]);
        return true;
    }

要完成此操作，我还需要添加更多注销功能.

What more do i need to add to the logout function to finish this off.

如果我更改了领域，则可以，但是我不希望对其进行更改.

If i change the realm it works but i don't want it to be changed.

推荐答案

取消设置$ _SERVER ['PHP_AUTH_DIGEST']将无效.问题是，对于您设置的任务并没有真正的好"答案.

Unsetting $_SERVER['PHP_AUTH_DIGEST'] will have no effect. The problem is, there's not really a "good" answer to the task you've set.

HTTP规范在技术上不允许这样做，但是实际上，如果您向其他浏览器发送另一个401，则其中的大多数浏览器都会有效地注销用户".每个php.net/http-auth:

The HTTP specification doesn't technically allow for it, but in practice, most of the browsers out there will effectively "log the user out" if you send them another 401. Per php.net/http-auth:

在收到服务器响应401时，Netscape Navigator和Internet Explorer都将清除该域的本地浏览器窗口的身份验证缓存.这可以有效地注销"用户，迫使他们重新输入用户名和密码.某些人使用它来超时"登录或提供注销"按钮.

Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively "log out" a user, forcing them to re-enter their username and password. Some people use this to "time out" logins, or provide a "log-out" button.

在您的代码中，最简单的方法可能类似于:

From your code, the simplest method is probably something like:

function logout(){
    header('HTTP/1.1 401 Unauthorized');
    return true;
}

但是，同样，这实际上并不是HTTP规范所认可的.

but, again, this is not actually something approved of by the HTTP specification.

这篇关于PHP Digest身份验证，注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！