So, as I am doing a very cool service I got into the dilemma of finding a user management system. It doesn't make sense to write all again if there are projects such as Joomla that does that very well. So my problem was reduced from coding a user management system to authenticating against Joomla.
After browsing I read several scripts that inspired me to write the one I need: https://bitbucket.org/daniel-lucio/external-joomla-http-authentication/src/master/
The program reviews the existence of $_SERVER['PHP_AUTH_USER'], if it does it loads the Joomla framework (require_once JPATH_BASE . '/includes/framework.php'). The script queries the database and gets the password hash; then it calls the JUserHelper::verifyPassword() method to authenticate. If the value is true, then you are authenticated.
What about Digest Authentication?
Unfortunately, this is not possible out of the box. When a browser sends the authentication information using digest authentication, it doesn't send the password really. Instead, it sends an MD5 hash. Hashes are one way encrypted.
The issue here is that Joomla saves the password using hashes as well. Therefore, there is no way to compare directly.
If you need digest authentication, you may be able to modify Joomla to save the password in clear. You can read my article that shows how to do modify the hashing in different versions of Joomla.
Basic authentication is well known to be a week mechanism in terms of confidentiality matters. What can you do? Simple, use HTTPS.
Good luck!blog comments powered by Disqus