PHP 5 Advanced: Visual QuickPro Guide/Page 4 | WebReference

PHP 5 Advanced: Visual QuickPro Guide/Page 4

[previous] [next]

Security Techniques: Part 2

Custom Authentication

The preceding example does a fine job of showing how easy it is to use PEAR Auth, but it doesn't demonstrate how you would actually use it in a more full-fledged application. By this I mean a site that has a table with more than two columns and needs to store, and retrieve, other information as well.

The first change you'll need to make is to the options array used when creating the Auth object. Different storage types ("containers" in Auth parlance) have different options. Table 4.3 lists some of the other options you can use with DB.

DB Container Options

Table 4.3. These are some of the parameters you can set when creating a new Auth object that uses DB.

Option Indicates
dsn The Data Source Name
table The database table to use
usernamecol The name of the username column
passwordcol The name of the password column
db_fields What other table fields should be selected
cryptType The function used to encrypt the password

For example, the DB container will use a combination of the usernamecol and passwordcol (encrypted using cryptType) to authenticate the user against the submitted values. The preceding example used the defaults, but you can change this information easily. Just as important, you can specify what other database columns should be retrieved. These will then be available in the session data and can be retrieved in your script through the getAuthData() function:

Three other functions you can use to customize the authentication are setExpire(), setIdle(), and setSessionName(). The first takes a value, in seconds, when the session should be set to expire. The second takes a value, in seconds, when a user should be considered idle (because it's been too long since their last activity). The third function changes the name of the session (which is PHPSESSID, by default).

For this next example, a new table will be used, still in the auth database. To create it, use this SQL command (Figure 4.12):

Figure 4.12: Creating the table used by the custom authentication system.

This table represents how you might already have some sort of user table, with its own columns, that you'd want to use with Auth.

To use custom authentication

  1. Begin a new PHP script in your text editor or IDE, starting with the HTML (Script 4.4).

    Script 4.4. In this script, Auth uses a different table, different column names, and a different encryption function for the password. It selects every column from the table, making all the previously stored data available to the page.

  2. Define the show_login_form() function.

    The function is mostly the same as it was before, except this time the action points to this script, custom_auth.php. The form also labels the one input as Email (Figure 4.13), even though it's named username (as required).

    Figure 4.13: The customized login form.

  3. Establish the authorization options and create the object.

    The DSN is the same as it was before. Next, the table, usernamecol, and passwordcol values are all specified. These match the table already created (Figure 4.12). The cryptType value says that the passwords should be encoded using SHA1(), instead of the default MD5(). The final element in the $options array says that every column from the table should be retrieved. In this particular script, this will allow the page to refer to the logged-in user by name. Creating a Logout Feature

    To add a logout to your authentication system, place this code on a logout page:

    Just as when using sessions, you need to start the authentication in order to destroy it. You should then confirm that the user is authenticated, using checkAuth(), prior to logging out. Then call the logout() method to de-authenticate the user. Calling the start() method again will redisplay the login form.

  4. Add a new user and complete the initial PHP section (Figure 4.14).

    Figure 4.14: A sample user has been added to the users table.

    Because the table has more than just the two columns, the extra columns and values have to be provided, as an array, as the third argument to the addUser() method. This call of the function is the equivalent of running this query:
  5. Create the initial HTML code.

  6. Start the authorization.

  7. Print the authorization status.

    The result if the user isn't logged in looks like Figure 4.13. When the user does log in, they are greeted by name (Figure 4.15). The getAuthData() function can access the values selected from the table and stored in the authentication session.

    Figure 4.15: After successfully logging in, the user is greeted by name. The name was pulled from the table and stored in the session.

  8. Complete the page.

  9. Save the file as custom_auth.php, place it in your Web directory, and test in your Web browser.
TIPS Using Auth_HTTP

One of the potential problems with Auth is that it relies upon sessions, which can introduce some security concerns. A more secure option is to use HTTP authentication via Auth_HTTP. HTTP authentication uses a pop-up window, separate from the HTML page, that takes a username and password.

The benefits of HTTP authentication are these:

The downsides are:

[previous] [next]