User Authentication With Apache And PHP (
Page 1 of 11 )
Want to restrict access to certain sections of your Web site?
Or customize page content on the basis of user preferences? Or even
track user movement across your site? Well, the bad news is that you'll
need to learn how to authenticate users on your site. The good news is
that this tutorial has everything you need to get started.A long, long time ago, during my early days with Web application development, I
was asked to write an administration module for a Web site. This module was to
be available only to site administrators, and so required user authentication,
or login, at the entry point itself. I didn't know much about Web development at
the time, but I did my best and handed the code over to the QA people for
testing.
As it turned out, my user authentication module had enough
security holes in it to drive a few hundred dump trucks through. I spent the
next week plugging those holes, and along the way learnt a number of valuable
things about access control - most notably, that it's not as easy or as obvious
as you might think.
There are a number of reasons why you might want to
add user authentication to your Web site. You might want to restrict access to
certain pages only to a specific group of privileged users. You might want to
customize the content on your site as per user preferences. Or you might just
want to track user movement between the pages of your site. Regardless of why
you want to add it, you should know how to go about doing it reliably and
efficiently.
That's where this article comes in. Over the next few
pages, I'll be showing you how to authenticate users, maintain session
information and handle login/logout operations, using both built-in Apache
authentication and custom PHP code. So keep reading.{mospagebreak title=Of Myth
And Men} Before we get into the nitty-gritty of code and syntax, there's one
very important thing that you should be aware of. It's a common myth among
newbie developers that access control is merely a matter of verifying a user's
password once, and allowing or denying access to a single page based on the
results of that verification. While this description is certainly true, it's
also incomplete, as it fails to address the matter of re-verifying user
credentials on all subsequent, linked pages after the initial user
login.
In real-world development projects, access control typically
involves writing code to handle the following events:
1. Initial user
verification and session creation (login): The first time a user logs in to a
Web site, a Web application must be capable of requesting the user's credentials
(usually a unique username/password combination), and allowing or denying access
based on these credentials. This step also involves the creation of a persistent
user "session", which stores user variables across multiple HTTP
transactions.
2. Session maintenance and re-verification of user
credentials: Once a user has logged in successfully, the application must be
able to re-verify the user's credentials, on a per-page or per-script basis, and
allow or deny access to specific pages or scripts based on this user data (the
session created at the first step comes in very handy here). At the very least,
the application must check to ensure the existence of a valid user session; more
complex applications may additionally perform second-tier checks to ensure that
the user has appropriate permissions or security privileges to execute the
script or view the page.
3. Session destruction (logout): The application
must provide the user with the ability to log out and thereby destroy all
user-specific session variables created during the first step. Though this is
the last step in the process, its importance cannot be underrated; omitting it
can have serious repercussions on the security of your Web
application.
In order for a Web application to be considered even
marginally secure, it must address all three of the requirements above.
/ 57 
