Flylib.com

Books Software

 
 
 

Category list


Similar pages

Types of Authentication


Buy on amazon.com >>
Newman C
    << Previous page
    Table of contents
    Next page >>

    Types of Authentication

    Chances are you have needed to log in to a website in the past, so you should be aware of how the process of authentication works from a user 's point of view. Generally speaking, you are asked to enter a usernamesometimes your email addressand a password.

    There are actually two ways that a website can authenticate a user, though: using basic HTTP authentication and using session-based authentication. The following sections clarify the differences between these two methods .

    Basic HTTP Authentication

    Basic HTTP authentication can be performed by web server, without having anything to do with PHP script. The example in this section assumes that you are using Apache web server; for other web servers, you should refer to your documentation.

    Authentication is usually done on a per-directory basis but can be set up to apply to individual files if required. By using an .htaccess file on your website, you can specify for that directory a custom configuration that instructs the web server to require a login before proceeding. A typical set of configuration directives would look like this: 

    AuthType Basic
AuthName "Protected Website"
AuthUserFile /home/yourname/htpasswd
require valid-user

    AuthUserFile points to the location of a password file that is created by using the htpasswd program. To create a new password file, you would run a command like the following: 

    $

htpasswd c /home/yourname/htpasswd chris

New password:
Re-type new password:

    Password Files You should use the c switch only when you want to create a new file. The htpasswd program does not ask whether you want to overwrite an existing file. Running htpasswd without the c option on an existing password file adds a user.


    You have to enter the new password twice, after which an entry is added to the password file given. The entry consists of the username and an encrypted version of the password, separated with a colon character. However, you should never need to work with this file directly. A typical password file entry might look like this: 

    chris:XNiv7qSUTFPU6
damon:ZxxE2PTEXeVNU
shelley:SVzAEtxMLEAls
vanessa:cX/t1Pv2oQfrY

    When you try to access a file in the protected directory, your web browser pops up a window that asks for a username and password, and the page requested loads only after you have entered the correct information.

    The require valid-user directive instructs the web server to show the page to any authenticated user. You might want to grant access to only certain users, which you can do with the require user directive: 

    require user chris damon shelley

    Basic HTTP authentication also allows you to set up user groups to give access to particular sections of the site only to certain users. You can then use the require group directive to specify access to one or more user groups.

    The following groups file, usually named htgroups , divides the users in the password file into two groups: 

    boys: chris damon
girls: shelley vanessa

    To give access only to the boys group, you could use the following .htaccess file: 

    AuthType Basic
AuthName "Boys Only"
AuthUserFile /home/yourname/htpasswd
AuthGroupFile /home/yourname/htgroup
require group boys

    Although it is fairly easy to set up and reasonably flexible, basic HTTP authentication has some drawbacks. First, you cannot change the look and feel of the pop-up login box. If you want to customize the process at all, you cannot use this method. Furthermore, the password file is stored on the server's filesystem, and updating it from a script may be problematic ; you will learn more about these issues when dealing with reading and writing to files in Lesson 17, "Filesystem Access."

    Apache Add-ons Several third-party modules for the Apache web serversuch as mod_auth_mysql and mod_auth_sqlite allow you to use basic HTTP authentication with password information stored in a database. Check with your web host to see whether these modules are installed.


    Session-Based Authentication

    To provide a completely customizable login process for your website, you must implement it yourself, and doing so in PHP requires using session variables .

    In a nutshell , once a user is logged in, the browser's session contains enough information to convince the scripts on the website that you are allowed to view a page. Users log in by using a form on your site where they enter their username and password. You can set up the layout and flow of the login process any way you see fit.

    One fairly significant difference from basic HTTP authentication is that the instruction to check the validity of a user's session appears in the script itself, not in a per-directory configuration file.

    Protecting HTML If your website includes plain HTML files that contain no PHP, you need to add PHP code to them to prevent them from being viewable to an anonymous user. You also need to change their file extension to .php .



    Buy on amazon.com >>
    Newman C
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy