[nycphp-talk] user authentication
Phillip Powell
phillip.powell at adnet-sys.com
Mon Aug 30 12:44:15 EDT 2004
This is mainly for Joe and Susan since both of them seemed to have
worked with PHP and HTTP Authentication, maybe they'll be able to
discern this problem.
I wrote an HTTP authentication function authenticate(). However, you
are being forced to log in twice every time you use this function, and I
honestly can't figure this out.
This might make things easier to understand:
This is index.php:
/*-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Authentication Block - this block will determine whether or not
user has logged in or has successfully logged in by checking:
1) IP address against stored value in project_globals.inc.php
2) Cookie for $projectFolderName
3) If they have remained in the utility or have gone elsewhere -
then cookie should be overwritten
New 5/20/2004: User-defined variable $willUseSSL generated into
project_global_plugin.inc.php will be a Boolean to
determine if the there will need to be an SSL layer for the
unauthenticated IVC. If the user has not yet logged in and
chose to set $willUseSSL to true in the installation, the script
will redirect to an SSL layer and ask for authentication. A
check is also done to ensure that if the user is logged in yet
remains in an SSL layer, they will be redirected out to ensure
full IVC functionality.
New 5/20/2004: The cookie with key of $projectFolderName will be
checked first to bypass the unnecessary instantiation of
LoginSessionGenerator for performance enhancement. If the user
logged in, the cookie exists and no need to check further.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------*/
if (($willAuthenticate || $willBasicAuthenticate) &&
$_COOKIE["$projectFolderName"]) $isLoggedIn = true; // NECESSARY FOR
SSL-TO-NONSSL REDIRECTION
if (($willAuthenticate || $willBasicAuthenticate) &&
!$_COOKIE["$projectFolderName"]) {
$errorArray = array();
$lsg =& new LoginSessionGenerator();
$lsg->handleLogin();
$errorArray += $lsg->getErrorArray();
$isLoggedIn = $lsg->isLoggedIn;
}
if ($_COOKIE["$projectFolderName"] || (($willAuthenticate ||
$willBasicAuthenticate) && $isLoggedIn) || !($willAuthenticate ||
$willBasicAuthenticate)) {
$authBool = true;
} else {
$authBool = false;
}
if ($willAuthenticate || $willBasicAuthenticate) $lsg = null;
----------------------------------------------------------------------------------------
This is the class LoginSessionGenerator method handleLogin() in
classes.inc.php:
/**
* Check for login status either through WWW Basic Authentication (if
$willBasicAuthenticate is true) or via IP verification
*
* @access public
*/
function handleLogin() { // VOID METHOD
global $willBasicAuthenticate;
if (!$this->isLoggedIn && $willBasicAuthenticate)
$this->isLoggedIn = authenticate();
if (!$this->isLoggedIn) {
$this->validate();
// SEE IF THEY HAVE ALREADY LOGGED IN
if (!$this->isLoggedIn && !$this->cannotLogin)
$this->check(); // CHECK TO SEE IF LOGIN PROCESS USER
ENTERED IS VALID
if (!$this->isLoggedIn && !$this->cannotLogin)
$this->displayLoginHTML(); // DISPLAY LOGIN HTML INNER TEMPLATE VIEW
}
}
---------------------------------------------------------------------------------------------------------------------
This is authenticate() in functions.inc.php:
/*--------------------------------------------------------------------------------------------
This function will utilize the ability to use HTTP-based WWW
Authentication, checking for the global authorized password against
the password entered in the client project's CSV file. Will not
function
unless this password exists.
See http://www.php.net/manual/en/features.http-auth.php for more
info
---------------------------------------------------------------------------------------------*/
if (!function_exists('authenticate')) { // FUTURISTIC: IN
CASE AN "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE
function authenticate() {
global $username, $password, $projectFullName;
if ($password && preg_match('/IIS/i', $_SERVER['SERVER_SOFTWARE']) &&
$_SERVER['HTTP_AUTHORIZATION']) {
list($user, $pw) = explode(':',
base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
if ($user === $username && $pw === $password) return true; //
AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI
}
if ($_SERVER['PHP_AUTH_USER'] && $password &&
$_SERVER['PHP_AUTH_USER'] === $username &&
$_SERVER['PHP_AUTH_PW'] === $password
) return true;
if ($password) {
header("WWW-Authenticate: Basic realm=\"$projectFullName\"");
header('HTTP/1.0 401 Unauthorized');
echo "You must enter a valid login ID and password to access the
$projectFullName\n";
exit;
}
}
}
Susan Shemin wrote:
> The code I'm trying to implement is via HTTP Authentication, and the
> book talks about configuring the Apache httpd.conf file which I do not
> have access to. (PHP Essentials by Julie C. Meloni)
>
> I can set up the user authentication from the database itself, but I'm
> not sure how secure it is.
>
> Are there other methods of user authentication? Ah, then I need to
> tackle the session management.
>
> Susan
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> New and Improved Yahoo! Mail
> <http://us.rd.yahoo.com/mail_us/taglines/10/*http://promotions.yahoo.com/new_mail/static/efficiency.html>
> - Send 10MB messages!
>
>------------------------------------------------------------------------
>
>_______________________________________________
>New York PHP Talk
>Supporting AMP Technology (Apache/MySQL/PHP)
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.newyorkphp.org
>
--
---------------------------------------------------------------------------------
Phil Powell
Multimedia Programmer
BPX Technologies, Inc.
#: (703) 709-7218 x107
Fax: (703) 709-7219
More information about the talk
mailing list