Simple Authentication Infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
      
I scoping out an Internet site project and my primary consideration at
the moment is authentication infrastructure. Conceptually I was thinking
about something like the pseudocode at the bottom of this message
(pardon all the Java-esc typing).

Can PHP do this sort of thing? I'm wondering if there are some classes
available to do this? I don't think I want to use WWW-Authenticate (at
least I don't want to use the ugly password dialog) and I certainly don't
want to authenticate via pam or something like that. I want "as simple
as possible, but not simpler" type of thing. I have a strong aversion
to bloatware.

Or am I off track? I normally do pretty low level C type stuff so websites
are new to me (ie. php).
      
Thanks, 
Mike 

int
handleRequest(Request req)
{  
  Ticket ticket, tmp;

  /* If the user already has a ticket associated with their session,
   * just pass through and handle the request 
   */    
  if ((ticket = req.session.getProperty("ticket")) == null) { 
    SqlResults results;
   
    /* If the user has a ticket (embeeded in a cookie) then associate
     * it with their session and pass through and handle the request.
     */    
    String cookie = req.getCookie("ticket");
    if (cookie) {        /* try ticket from cookie */
      tmp = Ticket.decrypt("12345", cookie);
      results = Sql.exec( /* sql injection vulnerbility, wahoo! */
          "select ssnkey from accounts where emailaddr = " + tmp.emailaddr);
      if (results.size() == 1 && tmp.sshkey == results.getInteger(0)) {
        req.session.setProperty("ticket", tmp);
        ticket = tmp; /* Success! */
      }     
    }     
   
    if (ticket == null && req.session.isHttps) { /* try new login */
      String emailaddr = req.getParameter("emailaddr");
      String password = req.getParameter("password");
      if (emailaddr && password) {
        results = Sql.exec(
            "select status, password from accounts where emailaddr = " + emailaddr);
        if (results.size() != 1 || 
              results.getString(0) != "valid" ||
              password != results.getString(1)) {
          return sendError(req, ERROR_AUTH_FAILED);
        }     
   
        tmp = new Ticket(emailaddr);
        Sql.exec("update accounts set ssnkey = " + tmp.ssnkey +
            " where emailaddr = " + tmp.emailaddr);
        req.setCookie("ticket", ticket.encrypt("12345"));
        req.session.setProperty("ticket", tmp);
        ticket = tmp; /* Success! */
      }     
    }     
  }
   
  /* null ticket means not logged in / anonymous
   */    
  return handleAuthenticatedRequest(req, ticket);
}

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux