Barry wrote:
Alain Roger wrote:
Hi,
I would like to write a secured logon page but i do not have any
idea where to start... i've alreay setup my Apache server for using
SSL, but what about the PHP code ? with or without cookie ?
crypted or not ?
You could also use digital certificates for authentication. I tried
this with a shared host, but the host didn't have GlobalSign's CA certs
installed, nor would they install the CA's certs. Yet, GlobalSign won't
issue any certificate (except for demo certs) without identification
from the applicants.
If you were to authenticate with a GlobalSign Class 2 certificate,
you'll need to install GlobalSign's Class 2 CA cert
( http://www.globalsign.net/ ). They should have instructions on their
web site on how to get GlobalSign Certs installed onto Apache.
This link may also help you, in case GlobalSign doesn't have instructions:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
Once you have installed a CA's certs into Apache, and you have a
certificate issued by the CA's certs, you'll need to have Apache ask
browsers to sign-in with a certificate:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient
Once that is set up, set up a phpinfo.php script containing:
<?php phpinfo(); ?>
and see if you find a client fingerprint in the phpinfo() output. The
variable shown for the client fingerprint is perhaps the best way of
authenticating without having the server ask for a password, because the
public key fingerprint will always be unique. Even better, you will also
be ready to implement the use of smartcards, if you're developing
something for an enterprise.
- KJM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
