HTTP Digest Authentication
| 开发者 | jesin |
|---|---|
| 更新时间 | 2017年11月25日 22:25 |
| PHP版本: | 3.1.0 及以上 |
| WordPress版本: | 4.9 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
.htaccess file
SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST=$1
Advantages of HTTP Digest Authentication
- Digest Authentication is very much safer than HTTP Basic Authentication whose credentials can be easily decoded with a base64 decoder.
- From Wikipedia on HTTP Basic Authentication:
The BA (Basic Authentication) mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed in any way.
- Digest Authentication on the other hand uses MD5 on the credentials making it "one way"
- Uses server and client nonces to prevent replay attacks
- Works using PHP header() function and doesn't require modification of service config files (like .htaccess, nginx.conf etc)
- Supports HTTP credentials for each WordPress user
- Clears the HTTP Digest credentials when the user logs out of WordPress (more on this in the FAQ)
- Verifies if both the HTTP and WordPress credentials are of the same user (this is the default behavior and can be changed)
- Works on all major Web Servers (Tested on Apache, Nginx and Lighttpd)
- When this plugin is activated for the first time all WordPress users will have the following Digest credentials\ Username: <WordPress username>\ Password: password\ This can be changed from Users > Your Profile.
- After activating this plugin for the first time you'll be prompted for HTTP credentials when you logout
- Similarly if you change your HTTP username or password you'll be prompted for this when you logout
- 英文
- Serbo-Croatian by Borisa Djuraskovic
安装:
- Unzip and upload the
http-digest-authfolder to the/wp-content/plugins/directory. - Activate the HTTP Digest Authentication plugin through the 'Plugins' menu in WordPress.
- Configure a HTTP username/password by going to
Users > Your Profilepage. - You'll be prompted for these credentials when you logout after activating the plugin for the first time.
屏幕截图:
常见问题:
How does HTTP logout work?
When you access the wp-login.php page a portion of the realm is generated and stored in a session variable so the realm looks like "HTTP Auth Session MTM4MTc0NzU3OQ=="\ When you logout of WordPress this session variable is deleted and a new realm is generated, hence the browser prompts you for credentials.
How are the HTTP Digest credentials stored?
The username is stored in the wp_usermeta table in plain-text. The password is stored in a two-way encryption format in the same table. It is encrypted and decrypted with the mcrypt_encrypt() and mcrypt_decrypt() functions.
But I saw the plain-text password in my database
That means your PHP installation doesn't have the mcrypt extension. To check if this is the case go to your <?php phpinfo(); ?> and check if there is a section called mcrypt. If there isn't one in your VPS/Dedicated server install it
on Debian/Ubuntu
apt-get install php5-mcrypt
on Centos/Fedora
yum install php5-mcrypt
After installation change the password (or enter the same password in Your Profile) to encrypt it.
Shared hosting users needn't worry about this as any decent host should already have this installed.
Help! I forgot my HTTP Digest credentials
You can find your username by executing the following MySQL query.
The password can be reset with the following querySELECT meta_value FROMwp_usermetaWHERE meta_key = 'http-digest-auth_username' and user_id = (SELECT ID from wp_users where user_login = 'WordPress_Username');Remember to replacewp_with your actual database prefix andWordPress_Usernamewith your login name.
UPDATEwp_usermetaSET meta_value = 'password' WHERE meta_key = 'http-digest-auth_password' and user_id = (SELECT ID from wp_users where user_login = 'admin');This will set the HTTP password topassword. Login and change it immediately.
What does the "Anyone can use these credentials" option do?
By default if you access the wp-login.php page using your HTTP credentials, only YOUR WordPress username can login. This security measure can be disabled by ticking this option.
Are the HTTP credentials stored in the database even after this plugin is deactivated/deleted?
Deactivating this plugin doesn't affect the credentials but deleting the plugin erases all HTTP user credentials leaving no trace of it in the database.
更新日志:
- 3rd September 2014
- Removed
line-heightstyling on input boxes
- 26th May 2014
- Fixed bug that allowed logging in with empty credentials
- Added Serbo-Croatian language, props Borisa Djuraskovic
- 22nd March 2014
- Reduced repetitive code with inheritance
.htaccessrules for FastCGI PHP
- 16th October 2013
- Initial version