Support of HTTP Digest authentication in symfony 1.x. Fork me, I'm famous!
PHP
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
config
lib
LICENSE
README
package.xml.tmpl

README

sfHttpDigestAuthPlugin
======================

Installation
------------

    symfony plugin:install sfHttpDigestAuthPlugin --stability="beta"

Configuration
-------------

Edit your `config/filters.yaml` to enable the digest authentication.

    # config/filters.yml
    http_digest:
      class: sfHttpDigestAuthFilter

You can also customize the plugin parameters:

    # config/filters.yml
    http_digest:
      class: sfHttpDigestAuthFilter
      param:
        # realm sent to the client
        realm:                Realm

        # authentication "session" duration
        nonce_life:           300

        # key used to generate the nonce
        password_is_hash:     true

        # key used to generate the nonce
        private_key:          privatekey

The *user provider* is a valid callback taking a `username` in parameter and
returning his `password` in return, or `null` if the username doe not exist.

The *user signin* takes a `username` in parameter and proceed to the full user
signin, including the `setAuthenticated()` call.

The builtin sfGuardUser provider supports both Propel and Doctrine implementations.
Is is bundled with some configuration parameters too:

    # config/app.yml
    all:
      sfHttpDigestAuth:
        callback:
          # callback used to retrieve the password corresponding to a username
          retrieve:            [ sfGuardUserProvider, findForUser ]

          # callback used to signin the user when authentication is successful
          signin:              [ sfGuardUserProvider, signIn ]

        sfGuardUser:
          # the sfGuardUser method used to retrieve the password HTTP Digest needs
          password_method:     getPassword

          # does the password_method belongs to the profile class?
          method_is_profile:   false

The `password_method` must either return a clear password or key, or a hash of
`username:realm:password` for the Digest to work.

A good practice is to use a randomly generated key dedicated to the HTTP authentication,
like an API key. This way, you can store the clear key without compromising the
password.
In addition, it makes brute force attacks more difficult as they can not rely on
current dictionaries.