xiven.com stating the blatantly obvious since 2002

Digestive biscuits

A while back, I started looking into Digest Authentication as a method of authenticating users of a website without sending passwords about in plain text. I'm not really sure why, but I find the entire thing quite fascinating (to the point that my reading material on one particular train journey was RFC 2617 - HTTP Authentication). Yes I am aware of how sad a reflection this is on my life ☺.

Finding a PHP implementation of it was kinda tricky and I wanted to write my own anyway, so that is exactly what I did.

After a while of fruitlessly trying to get MD5 checksums to match those being sent by the browser, I finally realised that it was all defined nicely in the aforementioned RFC and that I just hadn't noticed it.... Figuring out how to do Auth-int in PHP was also "fun".

Anyway, the current version of my implementation is now available to anyone who is interested. There are various issues with it that are all documented in the comments at the top along with the usage instructions and other such information.

As of 2005-09-12 I have explicitly released this code as public domain. This means you can do anything you want with it - I have given up all rights to the work with no strings attached. You do not need to credit me if you use this code (though it is always welcomed).

Posted: 2003-07-23 09:37:03 UTC by Xiven | Cross-references (1) | Comments (11)


  • i love you (2003-08-02 18:33:46 UTC)

    i want build trackback with php . but i dont know how to to

  • jdp (2004-02-11 17:34:53 UTC)

    Looks good! Bravo!

  • jdp (2004-02-11 18:41:55 UTC)

    In "qop == auth-int", body is defined in a for-loop, and then redefined in two if-conditionals testing PHP features. Should be?
    if (feature1){
    elseif (feature2){
    else {

  • rui (2004-02-12 23:20:48 UTC)

    I think this digest authentication class is very useful for PHP community.
    Is it possible to commmit to PEAR ?

  • fakeraol@hotmail.com (2008-09-01 03:31:26 UTC)

    parse the auth-string is much to comlicated.
    its a twoliner:
    preg_match_all('@(\w+)=[\'"]{0,1}([^\'",]+)@', $txt, $hits);
    $digest = array_combine($hits[1], $hits[2]);
    no worry about "Digest " in front or not..

  • Xiven (Registered) (2008-09-01 20:36:58 UTC)

    Wrote this thing 5 years ago, so yeah, it's not perfect :P

    That said, nowadays I'd use the (relatively new) $_SERVER['PHP_AUTH_DIGEST'] server variable to get the digest string and parse that.

  • max (2008-10-05 05:44:33 UTC)


    I was trying to get digest authentication working on lighttpd server while processing response in javascript. But whenever server replies with 401 browser pops up login box which i dont want. Is there any way that i can get nonce & realm from server & pass it to javascript instead of browser....

  • Tom Oliver (2008-12-15 05:36:06 UTC)

    Hello again my brother from another mother! I saw this post and thought you were offering real digestive biscuits like in my link.. You really had my hopes up. I've given up on the lawnmower (unless you still want to give it to me) but I was really hoping we'd be able to settle this with a couple of authentic european digest biscuits! Are you able to send me some?

    Regards..your bestie, Tom! :)

  • Jay Smythe (2010-03-14 21:29:28 UTC)

    Hope you're still monitoring this.

    I am trying to use this Digest Auth example, but I've run into a few database-oriented snags.

    First I notice you have $db->query($query,IGNOREERROR) at line 171. I thought you were using MySQL?
    Dont recognize this syntax.

    Next, it appears you are using some kind of database helper class or something of the kind (which
    may explain the above). No indication of it in the comments at the top of the doc. Could you tell
    me what helper package you are using? I can implement my own of course, but if there is a good one
    out there I would like to try it.

    That's it for now. I have the feeling there will be more, but I'll await an answer on these questions.


  • Xiven (Registered) (2010-03-14 23:53:45 UTC)

    Just an old database class I was using at the time I wrote it. You should probably just write it to use MySQLi or similar.

  • Daniel (2012-03-01 19:46:46 UTC)

    Thanks for the helpful information.