Home arrow PHP arrow Page 6 - User Authentication With Apache And PHP

Rank And File - PHP

Want to restrict access to certain sections of your Web site?Or customize page content on the basis of user preferences? Or eventrack user movement across your site? Well, the bad news is that you'llneed to learn how to authenticate users on your site. The good news isthat this tutorial has everything you need to get started.

TABLE OF CONTENTS:
  1. User Authentication With Apache And PHP
  2. Back To Basics
  3. The Right Creds
  4. Hidden Costs
  5. Logging In
  6. Rank And File
  7. Heavy Iron
  8. Sock It To Me, Baby!
  9. Time To Live
  10. A Stitch In Time
  11. Closing Time
By: The Disenchanted Developer, (c) Melonfire
Rating: starstarstarstarstar / 59
March 13, 2002

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement
Now, if you look closely at the HTML markup on the previous page, you'll see that the form references the script "login.php". This PHP script actually performs the task of validating the user information entered into the form against an external source. In this case, the external source is the system's "/etc/passwd" file.

Here's the script which performs the validation:

<? // login.php - performs validation // authenticate using form variables $status = authenticate($f_user, $f_pass); // if user/pass combination is correct if ($status == 1) { // initiate a session session_start(); // register some session variables session_register("SESSION"); // including the username session_register("SESSION_UNAME"); $SESSION_UNAME = $f_user; // redirect to protected page header("Location: /inner.sanctum.php"); exit(); } else // user/pass check failed { // redirect to error page header("Location: /error.php?e=$status"); exit(); } // authenticate username/password against /etc/passwd // returns: -1 if user does not exist // 0 if user exists but password is incorrect // 1 if username and password are correct function authenticate($user, $pass) { $result = -1; // make sure that the script has permission to read this file! $data = file("passwd"); // iterate through file foreach ($data as $line) { $arr = explode(":", $line); // if username matches // test password if ($arr[0] == $user) { // get salt and crypt() $salt = substr($arr[1], 0, 2); // if match, user/pass combination is correct // return 1 if ($arr[1] == crypt($pass, $salt)) { $result = 1; break; } // otherwise return 0 else { $result = 0; break; } } } // return value return $result; } ?>
Pay special attention to the authenticate() function, which forms the core of the script above. This is the function that actually does the hard work of accepting a username/password combo, iterating through the password file, crypt()-ing and matching the user's input against the encrypted data in the file, and finally returning a result code based on the results of the comparison.

In case you're wondering about the actual mechanics of the validation, it's fairly simple. The authenticate() reads the system's password file ("/etc/passwd" here), looks for a line beginning with the specified username, and extracts the first two letters of the corresponding encrypted password string. These two characters serve as the "salt" for the encryption process.

Next, the cleartext password is encrypted with PHP's crypt() function and the extracted "salt", with the result checked against the encrypted value in the password file. If the two match, it implies that the supplied password was correct; if they don't, it implies that the password was wrong. Either way, the result of this authentication procedure is then returned to the caller via a result code.

Assuming that the user has been successfully authenticated, a PHP session is instantiated via the session_start() function, and some session variables are registered. These session variables remain active for the duration of the user's visit to the site. In the example above, I've registered $SESSION (a flag variable to indicate that a session is active) and $SESSION_UNAME (the user's account username) as session variables

Note also that I have found it a good practice to capitalize session variable names, so as to distinguish them from the local variables found in individual script. Again, this is a personal quirk - feel free to ignore it if you think it's stupid.

Once all the session variables have been set up, the browser is redirected to the protected page, "inner.sanctum.php". We'll look at that, and also at the error handler "error.php" shortly - but first, let's look at an alternative scenario, which uses a database for user validation.

 
 
>>> More PHP Articles          >>> More By The Disenchanted Developer, (c) Melonfire
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

PHP ARTICLES

- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: