best way to have apache signal a php script on invalid htdigest (http authentication) logins?

Question

so, we have a few folders in our source base that are htdigest protected.

we would like to log invalid logins via our own custom php handler.

i was hoping on doing this via the apache ErrorDocument directive.

so i guess my question is two tiered.

a) is it valid to point an apache ErrorDocument directive at a php script, and will it be parsed as a php script (assuming php is up and running for said httpd).

b) i took a quick look at the http status code list at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html.

---

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" [43].

---

this makes it sound as tho the flow process, from a browser based useragent will be as follows:

a) user hits protected url
b) apache responds with a 401 status code
c) user is presented by useragent with username + password prompt

we only want to log invalid logins, not hits that do not know (yet) that the page requires authentication.

basically, and i'll do a bit of a copy paste here, but what we want is a custom, php based replacement for the following:

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

---

what we DON'T want to do:

a) be told that we should in this case be using a full php based login system. this is already done, the authentication is 2 tiered. user has to log into the service, via web based login (session based). and the 2nd tier of authentication is the http based authentication.

b) be told to setup a fully customized php based http authentication handler. yea, i know this is possible, and quite easy, but i would love to leave the actual htdigest handling in apaches hands. but, if leaving the http auth handling in apache's hands is not possible, this will end up being what we will have to do.

---

so to summarize: is it possible to have apache parse a php based script on invalid htdigest logins (but not lack there of) so we can action within that script (log, ip block, etc...)?

Answer 1

The following method works, as far as we can tell. Even with expiring htdigest based authentication:

a) Point ErrorDocument 401 to a php based script.

b) Our php 401 script looks as follows:

<?

if(isset($_SERVER['REDIRECT_REMOTE_USER'])){
    logError('authentication','invalid login attempt to '.(isset($_SERVER['REQUEST_URI'])?$_SERVER['REQUEST_URI']:'unknown').' using username '.$_SERVER['REDIRECT_REMOTE_USER']);
}

header($_SERVER['SERVER_PROTOCOL'].' 401 Authorization Required',true);
header('Status: 401 Authorization Required',true);

?>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>401 Authorization Required</title> 
</head><body> 
<h1>Authorization Required</h1> 
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p> 
</body></html>

The logError function is a custom function of ours, but you can replace it with whatever you like / add some further actions in there.

Enjoy!