[nycphp-talk] user authentication
Phillip Powell
phillip.powell at adnet-sys.com
Mon Aug 30 15:40:38 EDT 2004
It's at the bottom, and here:
if (!function_exists('authenticate')) { // FUTURISTIC: IN
CASE AN "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE
function authenticate() {
global $username, $password, $projectFullName;
if ($password && preg_match('/IIS/i', $_SERVER['SERVER_SOFTWARE']) &&
$_SERVER['HTTP_AUTHORIZATION']) {
list($user, $pw) = explode(':',
base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
if ($user === $username && $pw === $password) return true; //
AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI
}
if ($_SERVER['PHP_AUTH_USER'] && $password &&
$_SERVER['PHP_AUTH_USER'] === $username &&
$_SERVER['PHP_AUTH_PW'] === $password
) return true;
if ($password) {
header("WWW-Authenticate: Basic realm=\"$projectFullName\"");
header('HTTP/1.0 401 Unauthorized');
echo "You must enter a valid login ID and password to access the
$projectFullName\n";
exit;
}
}
}
Phil
Donald J. Organ IV wrote:
>can we see the function??
>
>----- Original Message -----
>From: "Phillip Powell" <phillip.powell at adnet-sys.com>
>To: "NYPHP Talk" <talk at lists.nyphp.org>
>Sent: Monday, August 30, 2004 12:44 PM
>Subject: Re: [nycphp-talk] user authentication
>
>
>
>
>>This is mainly for Joe and Susan since both of them seemed to have
>>worked with PHP and HTTP Authentication, maybe they'll be able to
>>discern this problem.
>>
>>I wrote an HTTP authentication function authenticate(). However, you
>>are being forced to log in twice every time you use this function, and I
>>honestly can't figure this out.
>>
>>This might make things easier to understand:
>>
>>This is index.php:
>>
>>
>>
>>
>/*--------------------------------------------------------------------------
>----------------------------------------------------------------------------
>-------------
>
>
>> Authentication Block - this block will determine whether or not
>>user has logged in or has successfully logged in by checking:
>>
>> 1) IP address against stored value in project_globals.inc.php
>> 2) Cookie for $projectFolderName
>> 3) If they have remained in the utility or have gone elsewhere -
>>then cookie should be overwritten
>> New 5/20/2004: User-defined variable $willUseSSL generated into
>>project_global_plugin.inc.php will be a Boolean to
>> determine if the there will need to be an SSL layer for the
>>unauthenticated IVC. If the user has not yet logged in and
>> chose to set $willUseSSL to true in the installation, the script
>>will redirect to an SSL layer and ask for authentication. A
>> check is also done to ensure that if the user is logged in yet
>>remains in an SSL layer, they will be redirected out to ensure
>> full IVC functionality.
>>
>> New 5/20/2004: The cookie with key of $projectFolderName will be
>>checked first to bypass the unnecessary instantiation of
>> LoginSessionGenerator for performance enhancement. If the user
>>logged in, the cookie exists and no need to check further.
>>
>>--------------------------------------------------------------------------
>>
>>
>----------------------------------------------------------------------------
>--------------*/
>
>
>> if (($willAuthenticate || $willBasicAuthenticate) &&
>>$_COOKIE["$projectFolderName"]) $isLoggedIn = true; // NECESSARY FOR
>>SSL-TO-NONSSL REDIRECTION
>>
>> if (($willAuthenticate || $willBasicAuthenticate) &&
>>!$_COOKIE["$projectFolderName"]) {
>> $errorArray = array();
>> $lsg =& new LoginSessionGenerator();
>> $lsg->handleLogin();
>> $errorArray += $lsg->getErrorArray();
>> $isLoggedIn = $lsg->isLoggedIn;
>> }
>>
>> if ($_COOKIE["$projectFolderName"] || (($willAuthenticate ||
>>$willBasicAuthenticate) && $isLoggedIn) || !($willAuthenticate ||
>>$willBasicAuthenticate)) {
>> $authBool = true;
>> } else {
>> $authBool = false;
>> }
>>
>> if ($willAuthenticate || $willBasicAuthenticate) $lsg = null;
>>
>>--------------------------------------------------------------------------
>>
>>
>--------------
>
>
>>This is the class LoginSessionGenerator method handleLogin() in
>>classes.inc.php:
>>
>> /**
>> * Check for login status either through WWW Basic Authentication (if
>>$willBasicAuthenticate is true) or via IP verification
>> *
>> * @access public
>> */
>> function handleLogin() { // VOID METHOD
>> global $willBasicAuthenticate;
>> if (!$this->isLoggedIn && $willBasicAuthenticate)
>>$this->isLoggedIn = authenticate();
>> if (!$this->isLoggedIn) {
>> $this->validate();
>> // SEE IF THEY HAVE ALREADY LOGGED IN
>> if (!$this->isLoggedIn && !$this->cannotLogin)
>>$this->check(); // CHECK TO SEE IF LOGIN PROCESS USER
>>ENTERED IS VALID
>> if (!$this->isLoggedIn && !$this->cannotLogin)
>>$this->displayLoginHTML(); // DISPLAY LOGIN HTML INNER TEMPLATE VIEW
>> }
>> }
>>
>>--------------------------------------------------------------------------
>>
>>
>-------------------------------------------
>
>
>>This is authenticate() in functions.inc.php:
>>
>>
>>
>>
>/*--------------------------------------------------------------------------
>------------------
>
>
>> This function will utilize the ability to use HTTP-based WWW
>> Authentication, checking for the global authorized password against
>> the password entered in the client project's CSV file. Will not
>>function
>> unless this password exists.
>> See http://www.php.net/manual/en/features.http-auth.php for more
>> info
>>--------------------------------------------------------------------------
>>
>>
>-------------------*/
>
>
>>if (!function_exists('authenticate')) { // FUTURISTIC: IN
>>CASE AN "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE
>>function authenticate() {
>> global $username, $password, $projectFullName;
>> if ($password && preg_match('/IIS/i', $_SERVER['SERVER_SOFTWARE']) &&
>>$_SERVER['HTTP_AUTHORIZATION']) {
>> list($user, $pw) = explode(':',
>>base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
>> if ($user === $username && $pw === $password) return true; //
>>AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI
>> }
>> if ($_SERVER['PHP_AUTH_USER'] && $password &&
>> $_SERVER['PHP_AUTH_USER'] === $username &&
>>$_SERVER['PHP_AUTH_PW'] === $password
>> ) return true;
>> if ($password) {
>> header("WWW-Authenticate: Basic realm=\"$projectFullName\"");
>> header('HTTP/1.0 401 Unauthorized');
>> echo "You must enter a valid login ID and password to access the
>>$projectFullName\n";
>> exit;
>> }
>>}
>>}
>>
>>Susan Shemin wrote:
>>
>>
>>
>>>The code I'm trying to implement is via HTTP Authentication, and the
>>>book talks about configuring the Apache httpd.conf file which I do not
>>>have access to. (PHP Essentials by Julie C. Meloni)
>>>
>>>I can set up the user authentication from the database itself, but I'm
>>>not sure how secure it is.
>>>
>>>Are there other methods of user authentication? Ah, then I need to
>>>tackle the session management.
>>>
>>>Susan
>>>
>>>------------------------------------------------------------------------
>>>Do you Yahoo!?
>>>New and Improved Yahoo! Mail
>>>
>>>
>>>
><http://us.rd.yahoo.com/mail_us/taglines/10/*http://promotions.yahoo.com/new
>_mail/static/efficiency.html>
>
>
>>>- Send 10MB messages!
>>>
>>>------------------------------------------------------------------------
>>>
>>>_______________________________________________
>>>New York PHP Talk
>>>Supporting AMP Technology (Apache/MySQL/PHP)
>>>http://lists.nyphp.org/mailman/listinfo/talk
>>>http://www.newyorkphp.org
>>>
>>>
>>>
>>--
>>--------------------------------------------------------------------------
>>
>>
>-------
>
>
>>Phil Powell
>>Multimedia Programmer
>>BPX Technologies, Inc.
>>#: (703) 709-7218 x107
>>Fax: (703) 709-7219
>>
>>
>>
>>_______________________________________________
>>New York PHP Talk
>>Supporting AMP Technology (Apache/MySQL/PHP)
>>http://lists.nyphp.org/mailman/listinfo/talk
>>http://www.newyorkphp.org
>>
>>
>
>_______________________________________________
>New York PHP Talk
>Supporting AMP Technology (Apache/MySQL/PHP)
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.newyorkphp.org
>
>
>
--
---------------------------------------------------------------------------------
Phil Powell
Multimedia Programmer
BPX Technologies, Inc.
#: (703) 709-7218 x107
Fax: (703) 709-7219
More information about the talk
mailing list