sfHttpDigestAuthPlugin - 0.1.0

Support of HTTP Digest authentication in symfony 1.x

You are currently browsing
the website for symfony 1

Visit the Symfony2 website

« Back to the Plugins Home


Forgot your password?
Create an account



advanced search
Information Readme Releases Changelog Contribute
Show source



symfony plugin:install sfHttpDigestAuthPlugin --stability="beta"


Edit your config/filters.yaml to enable the digest authentication.

# config/filters.yml
  class: sfHttpDigestAuthFilter

You can also customize the plugin parameters:

# config/filters.yml
  class: sfHttpDigestAuthFilter
    # realm sent to the client
    realm:                Realm

    # authentication "session" duration
    nonce_life:           300

    # key used to generate the nonce
    password_is_hash:     true

    # key used to generate the nonce
    private_key:          privatekey

The user provider is a valid callback taking a username in parameter and returning his password in return, or null if the username doe not exist.

The user signin takes a username in parameter and proceed to the full user signin, including the setAuthenticated() call.

The builtin sfGuardUser provider supports both Propel and Doctrine implementations. Is is bundled with some configuration parameters too:

# config/app.yml
      # callback used to retrieve the password corresponding to a username
      retrieve:            [ sfGuardUserProvider, findForUser ]

      # callback used to signin the user when authentication is successful
      signin:              [ sfGuardUserProvider, signIn ]

      # the sfGuardUser method used to retrieve the password HTTP Digest needs
      password_method:     getPassword

      # does the password_method belongs to the profile class?
      method_is_profile:   false

The password_method must either return a clear password or key, or a hash of username:realm:password for the Digest to work.

A good practice is to use a randomly generated key dedicated to the HTTP authentication, like an API key. This way, you can store the clear key without compromising the password. In addition, it makes brute force attacks more difficult as they can not rely on current dictionaries.