PHP Authentication/authorization techniques

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sherrycrawley
Forum Newbie
Posts: 3
Joined: Mon Nov 13, 2006 9:10 am

PHP Authentication/authorization techniques

Post by sherrycrawley »

I have used Java application servers such as WebSphere. In that environment, I can secure an application using Webshere security.
This solves the problem of a user invoking a Web page directly who has not gone thru the sign on phase.
How can I solve this problem in PHP/Apache?
Do I have to include some PHP coding in each page to check if the user has signed in (i.e. by checking a session variable) before serving the page, or is the a more 'global' way of doing this, or what is the best alternative in the PHP/Apache environment?

Thanks.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

With Websphere you are using their framework with its built in security. In PHP likewise you would use one of the many frameworks available -- many have scaffolding to make building easier. In general none will have the integration that Websphere does. Probably none of the Zend products might come closest if you are looking for a completely GUI based solution.
(#10850)
sherrycrawley
Forum Newbie
Posts: 3
Joined: Mon Nov 13, 2006 9:10 am

Post by sherrycrawley »

OK, thanks for that.
If I were to go with a 'pure' PHP method, what is the current accepted approach? Do I include a snippet of PHP at the top of each page to check if a user has currently logged in? After some more looking around, that seems to be the more common.
What I am trying to avoid is someone discovering a page on my site and having them invoking it directly.
On the same topic, I've read that such (snippets) includes should not go in the document root but elsewhere in the server file system since they probably contain DB connect info. Does that sound right?

Thanks.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

sherrycrawley wrote:OK, thanks for that.
If I were to go with a 'pure' PHP method, what is the current accepted approach? Do I include a snippet of PHP at the top of each page to check if a user has currently logged in? After some more looking around, that seems to be the more common.
I think that using a Front Controller and having the Access Control done there or injected into the Action Controllers is probably "the current accepted approach".
sherrycrawley wrote:On the same topic, I've read that such (snippets) includes should not go in the document root but elsewhere in the server file system since they probably contain DB connect info. Does that sound right?
Yes, it is good to separate code out to publicly inaccessable directories, but because PHP files are parsed the info you mention should not be accessable. But in the case of a misconfigured web server then PHP files could go unparsed and the info would be visible -- hence it is better to put it out of reach rather than tempt the fates.
(#10850)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

It might sound silly, but if the application is not distributed, you could always hardcode the DB details into the app. The advantage to that is that you are not assigning potentially sensitive information (database connection details) to constants/variables that could eventually be echo'd.
Post Reply