NYCPHP Meetup

NYPHP.org

[nycphp-talk] user authentication

Donald J. Organ IV dorgan at optonline.net
Mon Aug 30 15:28:02 EDT 2004 

can we see the function??

----- Original Message ----- 
From: "Phillip Powell" <phillip.powell at adnet-sys.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Monday, August 30, 2004 12:44 PM
Subject: Re: [nycphp-talk] user authentication


> This is mainly for Joe and Susan since both of them seemed to have
> worked with PHP and HTTP Authentication, maybe they'll be able to
> discern this problem.
>
> I wrote an HTTP authentication function authenticate().  However, you
> are being forced to log in twice every time you use this function, and I
> honestly can't figure this out.
>
> This might make things easier to understand:
>
> This is index.php:
>
>
/*--------------------------------------------------------------------------
----------------------------------------------------------------------------
------------- 
>
>
>        Authentication Block - this block will determine whether or not
> user has logged in or has successfully logged in by checking:
>
>        1) IP address against stored value in project_globals.inc.php
>        2) Cookie for $projectFolderName
>        3) If they have remained in the utility or have gone elsewhere -
> then cookie should be overwritten
>          New 5/20/2004: User-defined variable $willUseSSL generated into
> project_global_plugin.inc.php will be a Boolean to
>        determine if the there will need to be an SSL layer for the
> unauthenticated IVC.  If the user has not yet logged in and
>        chose to set $willUseSSL to true in the installation, the script
> will redirect to an SSL layer and ask for authentication.  A
>        check is also done to ensure that if the user is logged in yet
> remains in an SSL layer, they will be redirected out to ensure
>        full IVC functionality.
>
>        New 5/20/2004: The cookie with key of $projectFolderName will be
> checked first to bypass the unnecessary instantiation of
>        LoginSessionGenerator for performance enhancement.  If the user
> logged in, the cookie exists and no need to check further.
>
> --------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------*/
>
>  if (($willAuthenticate || $willBasicAuthenticate) &&
> $_COOKIE["$projectFolderName"]) $isLoggedIn = true;    // NECESSARY FOR
> SSL-TO-NONSSL REDIRECTION
>
>  if (($willAuthenticate || $willBasicAuthenticate) &&
> !$_COOKIE["$projectFolderName"]) {
>   $errorArray = array();
>   $lsg =& new LoginSessionGenerator();
>   $lsg->handleLogin();
>   $errorArray += $lsg->getErrorArray();
>   $isLoggedIn = $lsg->isLoggedIn;
>  }
>
>  if ($_COOKIE["$projectFolderName"] || (($willAuthenticate ||
> $willBasicAuthenticate) && $isLoggedIn) || !($willAuthenticate ||
> $willBasicAuthenticate)) {
>   $authBool =  true;
>  } else {
>   $authBool = false;
>  }
>
>  if ($willAuthenticate || $willBasicAuthenticate) $lsg = null;
>
> --------------------------------------------------------------------------
-------------- 
>
>
> This is the class LoginSessionGenerator method handleLogin() in
> classes.inc.php:
>
>    /**
>     * Check for login status either through WWW Basic Authentication (if
> $willBasicAuthenticate is true) or via IP verification
>     *
>     * @access public
>     */
>    function handleLogin() {                                // VOID METHOD
>        global $willBasicAuthenticate;
>         if (!$this->isLoggedIn && $willBasicAuthenticate)
> $this->isLoggedIn = authenticate();
>        if (!$this->isLoggedIn) {
>         $this->validate();
>                // SEE IF THEY HAVE ALREADY LOGGED IN
>         if (!$this->isLoggedIn && !$this->cannotLogin)
> $this->check();                // CHECK TO SEE IF LOGIN PROCESS USER
> ENTERED IS VALID
>         if (!$this->isLoggedIn && !$this->cannotLogin)
> $this->displayLoginHTML();    // DISPLAY LOGIN HTML INNER TEMPLATE VIEW
>        }
>    }
>
> --------------------------------------------------------------------------
------------------------------------------- 
>
>
> This is authenticate() in functions.inc.php:
>
>
/*--------------------------------------------------------------------------
------------------ 
>
>    This function will utilize the ability to use HTTP-based WWW
>    Authentication, checking for the global authorized password against
>    the password entered in the client project's CSV file.  Will not
> function
>    unless this password exists.
>    See http://www.php.net/manual/en/features.http-auth.php for more
>    info
> --------------------------------------------------------------------------
-------------------*/
>
> if (!function_exists('authenticate')) {            // FUTURISTIC: IN
> CASE AN "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE
> function authenticate() {
>    global $username, $password, $projectFullName;
>    if ($password && preg_match('/IIS/i', $_SERVER['SERVER_SOFTWARE']) &&
> $_SERVER['HTTP_AUTHORIZATION']) {
>     list($user, $pw) = explode(':',
> base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
>     if ($user === $username && $pw === $password) return true;    //
> AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI
>    }
>    if ($_SERVER['PHP_AUTH_USER'] && $password &&
>         $_SERVER['PHP_AUTH_USER'] === $username &&
> $_SERVER['PHP_AUTH_PW'] === $password
>         ) return true;
>    if ($password) {
>     header("WWW-Authenticate: Basic realm=\"$projectFullName\"");
>        header('HTTP/1.0 401 Unauthorized');
>       echo "You must enter a valid login ID and password to access the
> $projectFullName\n";
>        exit;
>    }
> }
> }
>
> Susan Shemin wrote:
>
> > The code I'm trying to implement is via HTTP Authentication, and the
> > book talks about configuring the Apache httpd.conf file which I do not
> > have access to.  (PHP Essentials by Julie C. Meloni)
> >
> > I can set up the user authentication from the database itself, but I'm
> > not sure how secure it is.
> >
> > Are there other methods of user authentication?  Ah, then I need to
> > tackle the session management.
> >
> > Susan
> >
> > ------------------------------------------------------------------------
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail
> >
<http://us.rd.yahoo.com/mail_us/taglines/10/*http://promotions.yahoo.com/new
_mail/static/efficiency.html>
> > - Send 10MB messages!
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >New York PHP Talk
> >Supporting AMP Technology (Apache/MySQL/PHP)
> >http://lists.nyphp.org/mailman/listinfo/talk
> >http://www.newyorkphp.org
> >
>
>
> -- 
> --------------------------------------------------------------------------
-------
> Phil Powell
> Multimedia Programmer
> BPX Technologies, Inc.
> #: (703) 709-7218 x107
> Fax: (703) 709-7219
>
>
>
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org

More information about the talk mailing list