PHP 5 Advanced: Visual QuickPro Guide/Page 4
Security Techniques: Part 2
The preceding example does a fine job of showing how easy it is to use PEAR Auth, but it doesn't demonstrate how you would actually use it in a more full-fledged application. By this I mean a site that has a table with more than two columns and needs to store, and retrieve, other information as well.
The first change you'll need to make is to the options array used when creating the
Auth object. Different storage types ("containers" in Auth parlance) have different options. Table 4.3 lists some of the other options you can use with DB.
DB Container Options
Table 4.3. These are some of the parameters you can set when creating a new
Auth object that uses DB.
|dsn||The Data Source Name|
|table||The database table to use|
|usernamecol||The name of the username column|
|passwordcol||The name of the password column|
|db_fields||What other table fields should be selected|
|cryptType||The function used to encrypt the password|
For example, the DB container will use a combination of the usernamecol and passwordcol (encrypted using cryptType) to authenticate the user against the submitted values. The preceding example used the defaults, but you can change this information easily. Just as important, you can specify what other database columns should be retrieved. These will then be available in the session data and can be retrieved in your script through the
Three other functions you can use to customize the authentication are
setSessionName(). The first takes a value, in seconds, when the session should be set to expire. The second takes a value, in seconds, when a user should be considered idle (because it's been too long since their last activity). The third function changes the name of the session (which is PHPSESSID, by default).
For this next example, a new table will be used, still in the
auth database. To create it, use this SQL command (Figure 4.12):
Figure 4.12: Creating the table used by the custom authentication system.
This table represents how you might already have some sort of user table, with its own columns, that you'd want to use with Auth.
To use custom authentication
- Begin a new PHP script in your text editor or IDE, starting with the HTML (Script 4.4).
Script 4.4. In this script, Auth uses a different table, different column names, and a different encryption function for the password. It selects every column from the table, making all the previously stored data available to the page.
- Define the
The function is mostly the same as it was before, except this time the action points to this script,
custom_auth.php. The form also labels the one input as Email (Figure 4.13), even though it's named username (as required).
Figure 4.13: The customized login form.
- Establish the authorization options and create the object.
The DSN is the same as it was before. Next, the table, usernamecol, and passwordcol values are all specified. These match the table already created (Figure 4.12). The cryptType value says that the passwords should be encoded using SHA1(), instead of the default
MD5(). The final element in the
$optionsarray says that every column from the table should be retrieved. In this particular script, this will allow the page to refer to the logged-in user by name. Creating a Logout Feature
To add a logout to your authentication system, place this code on a logout page:
Just as when using sessions, you need to start the authentication in order to destroy it. You should then confirm that the user is authenticated, using
checkAuth(), prior to logging out. Then call the
logout()method to de-authenticate the user. Calling the
start()method again will redisplay the login form.
- Add a new user and complete the initial PHP section (Figure 4.14).
Figure 4.14: A sample user has been added to the users table.
addUser()method. This call of the function is the equivalent of running this query:
- Create the initial HTML code.
- Start the authorization.
- Print the authorization status.
getAuthData()function can access the values selected from the table and stored in the authentication session.
Figure 4.15: After successfully logging in, the user is greeted by name. The name was pulled from the table and stored in the session.
- Complete the page.
- Save the file as
custom_auth.php, place it in your Web directory, and test in your Web browser.
- You can add, on the fly, other data to the authentication session using
setAuthData(): setAuthData($name, $value);
- You can also improve authentication security via the
One of the potential problems with Auth is that it relies upon sessions, which can introduce some security concerns. A more secure option is to use HTTP authentication via Auth_HTTP. HTTP authentication uses a pop-up window, separate from the HTML page, that takes a username and password.
The benefits of HTTP authentication are these:
- The entered username and password are remembered without needing to send cookies or establish sessions.
- The clean interface will not interfere with your page design.
The downsides are:
- Inability to create a logout feature
- Inability to establish user groups or specify access levels
- Inability to set an expiration time