Page 1 of 1

PHP Authentication/authorization techniques

Posted: Mon Nov 13, 2006 9:40 am
by sherrycrawley
I have used Java application servers such as WebSphere. In that environment, I can secure an application using Webshere security.
This solves the problem of a user invoking a Web page directly who has not gone thru the sign on phase.
How can I solve this problem in PHP/Apache?
Do I have to include some PHP coding in each page to check if the user has signed in (i.e. by checking a session variable) before serving the page, or is the a more 'global' way of doing this, or what is the best alternative in the PHP/Apache environment?

Thanks.

Posted: Mon Nov 13, 2006 12:57 pm
by Christopher
With Websphere you are using their framework with its built in security. In PHP likewise you would use one of the many frameworks available -- many have scaffolding to make building easier. In general none will have the integration that Websphere does. Probably none of the Zend products might come closest if you are looking for a completely GUI based solution.

Posted: Mon Nov 13, 2006 3:41 pm
by sherrycrawley
OK, thanks for that.
If I were to go with a 'pure' PHP method, what is the current accepted approach? Do I include a snippet of PHP at the top of each page to check if a user has currently logged in? After some more looking around, that seems to be the more common.
What I am trying to avoid is someone discovering a page on my site and having them invoking it directly.
On the same topic, I've read that such (snippets) includes should not go in the document root but elsewhere in the server file system since they probably contain DB connect info. Does that sound right?

Thanks.

Posted: Mon Nov 13, 2006 3:51 pm
by Christopher
sherrycrawley wrote:OK, thanks for that.
If I were to go with a 'pure' PHP method, what is the current accepted approach? Do I include a snippet of PHP at the top of each page to check if a user has currently logged in? After some more looking around, that seems to be the more common.
I think that using a Front Controller and having the Access Control done there or injected into the Action Controllers is probably "the current accepted approach".
sherrycrawley wrote:On the same topic, I've read that such (snippets) includes should not go in the document root but elsewhere in the server file system since they probably contain DB connect info. Does that sound right?
Yes, it is good to separate code out to publicly inaccessable directories, but because PHP files are parsed the info you mention should not be accessable. But in the case of a misconfigured web server then PHP files could go unparsed and the info would be visible -- hence it is better to put it out of reach rather than tempt the fates.

Posted: Mon Nov 13, 2006 5:19 pm
by RobertGonzalez
It might sound silly, but if the application is not distributed, you could always hardcode the DB details into the app. The advantage to that is that you are not assigning potentially sensitive information (database connection details) to constants/variables that could eventually be echo'd.