Next In Chapter 14, we will look specifically at authentication—allowing your users to prove their identity.We will look at a few different methods, including using PHP and MySQL to auth
Trang 1power supply (UPS) A UPS that will power a single machine for 10 minutes will cost less than $300 (U.S.) Allowing for longer failures, or more equipment, can get expensive Long power failures really require a generator to run air conditioning as well as
computers
Like power failures, network outages of minutes or hours are out of your control and bound to occur occasionally If your network is vital, it makes sense to have connections
to more than one Internet service provider It will cost more to have two connections, but should mean that, in case of failure, you have reduced capacity rather than becoming invisible
These sorts of issues are some of the reasons you might like to consider co-locating your machines at a dedicated facility Although one medium-sized business might not be able to justify a UPS that will run for more than a few minutes, multiple redundant net-work connections, and fire suppression systems, a quality facility housing the machines of
a hundred similar businesses can
Next
In Chapter 14, we will look specifically at authentication—allowing your users to prove their identity.We will look at a few different methods, including using PHP and MySQL
to authenticate your visitors
Trang 214 Implementing Authentication with
PHP and MySQL
THIS CHAPTER WILL DISCUSS HOW TO IMPLEMENTvarious PHP and MySQL techniques for authenticating a user
Topics include
n Identifying visitors
n Implementing access control
n Basic authentication
n Using basic authentication in PHP
n Using Apache’s htaccess basic authentication
n Using basic authentication with IIS
n Using mod_auth_mysql authentication
n Creating your own custom authentication
Identifying Visitors
The Web is a fairly anonymous medium, but it is often useful to know who is visiting your site Fortunately for visitors’ privacy, you can find out very little about them with-out their assistance
With a little work, servers can find out quite a lot about computers and networks that connect to them A Web browser will usually identify itself, telling the server what browser, browser version, and operating system you are running.You can determine what resolution and color depth visitors’ screens are set to and how large their Web browser windows are
Trang 3addresses will be more useful than others Generally people with permanent Internet connections will have a permanent address Customers dialing into an ISP will usually only get the temporary use of one of the ISP’s addresses.The next time you see that address, it might be being used by a different computer, and the next time you see that visitor, she will likely be using a different IP address
Fortunately for Web users, none of the information that their browsers give out identifies them If you want to know a visitor’s name or other details, you will have to ask her
Many Web sites provide compelling reasons to get users to provide their details.The
New York Times newspaper (http://www.nytimes.com) provides its content for free, but only to people willing to provide details such as name, sex, and total household income Nerd news and discussion site Slashdot (http://www.slashdot.org) allows registered users to participate in discussions under a nickname and customize the interface they see Most e-commerce sites record their customers’ details when they make their first order.This means that a customer is not required to type her details every time
Having asked for and received information from your visitor, you need a way to asso-ciate the information with the same user the next time she visits If you are willing to make the assumption that only one person visits your site from a particular account on a particular machine and that each visitor only uses one machine, you could store a cookie
on the user’s machine to identify the user.This is certainly not true for all users— frequently, many people share a computer and many people use more than one
comput-er At least some of the time, you will need to ask a visitor who she is again In addition
to asking who a user is, you will also need to ask a user to provide some level of proof that she is who she claims to be
As discussed in Chapter 13, “E-commerce Security Issues,” asking a user to prove her
identity is called authentication.The usual method of authentication used on Web sites is
asking visitors to provide a unique login name and a password Authentication is usually used to allow or disallow access to particular pages or resources, but can be optional, or used for other purposes such as personalization
Implementing Access Control
Simple access control is not difficult to implement.The code shown in Listing 14.1 delivers one of three possible outputs If the file is loaded without parameters, it will dis-play an HTML form requesting a username and password.This type of form is shown in Figure 14.1
Trang 4Figure 14.1 Our HTML form requests that visitors enter a username and password for access.
If the parameters are present but not correct, it will display an error message Our error message is shown in Figure 14.2
Figure 14.2 When users enter incorrect details, we need to give them an error message On a real site, you might want to give a somewhat friendlier message.
If these parameters are present and correct, it will display the secret content Our test content is shown in Figure 14.3
The code to create the functionality shown in Figures 14.1, 14.2, and 14.3 is shown
in Listing 14.1
Trang 5Figure 14.3 When provided with correct details, our
script will display content.
Listing 14.1 secret.php—PHP and HTML to Provide a Simple Authentication
Mechanism
<?php //create short names for variables
@ $name = $HTTP_POST_VARS['name'];
@ $password = $HTTP_POST_VARS['password'];
if(empty($name)||empty($password)) {
//Visitor needs to enter a name and password
?>
<h1>Please Log In</h1>
This page is secret.
<form method="post" action="secret.php">
<table border="1">
<tr>
<th> Username </th>
<td> <input type="text" name="name"> </td>
</tr>
<tr>
<th> Password </th>
<td> <input type="password" name="password"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Log In">
</td>
</tr>
</table>