Chapter 5Central Authentication System IN THIS CHAPTER ◆ How central authentication works ◆ How to create central login application ◆ How to create central logout application ◆ How to cr
Trang 1Chapter 5
Central Authentication System
IN THIS CHAPTER
◆ How central authentication works
◆ How to create central login application
◆ How to create central logout application
◆ How to create central authentication database
◆ How to test central login and logout
◆ How to make persistent logins in Web server farms
A CENTRAL AUTHENTICATION SYSTEMconsists of two applications: login and logout
The login application allows users to login and the logout application is used to ter-minate the login session This chapter shows you how to build and implement such
a system
How the System Works
First, let’s take a look at how such a system will work with any of your PHP Application Framework–based applications Figure 5-1 shows a partial flow dia-gram for a PHP application that requires authentication and authorization
When such an application starts up, it checks to see if the user is already authen-ticated This is done by checking for the existence of a user session If such a user session is found, the user is authenticated and the application then performs the authorization check itself If the user is not authenticated already, she is automati-cally redirected to the authentication system Similarly, in the authorization phase,
if the user is found to be incapable of running the application due to lack of privi-lege, she is redirected to the authentication system
In our PHP Application Framework (PHPAF) model, the authentication applica-tion is called login.php Figure 5-2 shows how this application works
121
Trang 2Figure 5-1: How an application works with the authentication system.
Figure 5-2: How the login application works.
Start
Is valid user?
Get User Credentials
Create User Session Data
Too many Attempts?
Count Attempts login.php
Yes Yes
No
Warn user about abuse
Redirect the user to the originating application
No
Start
Any PHP Application
Yes Yes
No No
Is user authenticated?
Is user authorized
to access this application?
Do application specific tasks
Redirect the user to login application
Trang 3The login application gets the user credentials (username and password) from the GUI and checks the validity of the credentials with a user table in the authentica-tion database If the user has supplied valid credentials, a user session is created and the user is directed to the application that made the login request
A user is given a set number of chances to log in, and if she doesn’t succeed in providing valid credentials, the login application automatically directs the user to
an HTML page which should warn the user about abuse
Like the login application, the central logout application can be linked from any application interface to allow a user to immediately log out The logout application works as shown in Figure 5-3
Figure 5-3: How the logout application works.
The logout application checks if the user is really logged in If she is logged in, the user session is removed, and if she isn’t, a “Not Logged In” message is displayed
The class level architecture of the central authentication system is shown in Figure 5-4
Here you can see that the login.php application uses a class called class
Authentication.php and a framework class called class.PHPApplication.php to implement its services The latter class provides database access to the login appli-cation via another framework class called class.DBI.php Both of these framework classes have been developed in Chapter 4 The session management aspect of login and logout is provided by PHP’s built-in session functionality
Similarly, the logout application uses the class.PHPApplication to implement its logout service
Start
Is user logged in?
No
Yes Terminate session
Show "not logged in"
logout.php
Trang 4In the rest of the chapter we will create necessary classes and develop the login/logout applications to implement the above-mentioned central authentica-tion system
Figure 5-4: Class Level Architecture of the central authentication system.
Creating an Authentication Class
Listing 5-1 shows the authentication class called class.Authentication.php, which will implement the central authentication system
Listing 5-1: class.Authentication.php
<?php /*
*
* Application class
*
* @author EVOKNOW, Inc <php@evoknow.com>
* @access public
* CVS ID: $Id$
*/
include_once $DEBUGGER_CLASS;
class Authentication { function Authentication($email = null, $password = null, $db_url = null)
class.Authentication.php class.PHPApplication.php
class.DBI.php
Central User Database
Session Files
Session Database Session API login.php
Redirected authentication request from applications using the PHP Application Framework
logout.php
Authenticated requests redirected
to the originating applications
Redirected requests for logout Successful logouts redirected to home URL
Trang 5global $AUTH_DB_TBL;
$this->status = FALSE;
$this->email = $email;
$this->password = $password;
$this->auth_tbl = $AUTH_DB_TBL;
$this->db_url = ($db_url == null) ? null : $db_url;
if ($db_url == null) {
global $AUTH_DB_TYPE, $AUTH_DB_NAME;
global $AUTH_DB_USERNAME, $AUTH_DB_PASSWD;
global $AUTH_DB_HOST;
$this->db_url = sprintf(“%s://%s:%s@%s/%s”,$AUTH_DB_TYPE,
$AUTH_DB_USERNAME,
$AUTH_DB_PASSWD,
$AUTH_DB_HOST,
$AUTH_DB_NAME);
}
$this->status = FALSE;
} function authenticate() {
$dbi = new DBI($this->db_url);
$query = “SELECT USER_ID, PASSWORD from “ $this->auth_tbl;
$query = “ WHERE EMAIL = ‘“ $this->email “‘ AND ACTIVE = ‘1’”;
$result = $dbi->query($query);
if ($result != null) {
$row = $result->fetchRow();
$salt = substr($row->PASSWORD,0,2);
if (crypt($this->password, $salt) == $row->PASSWORD) {
Continued