htaccess vs php login

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

htaccess vs php login

Post by rubberjohn »

Hi,

I'm trying to get my head around php security (surprise surprise), and I have a few questions that im sure are obvious ones:

1)What is the difference between using htaccess or a php system for a login system for a website? ie what scenarios are they used in?

2)The system I will be creating has two groups of users (A and B) that will be able to upload profiles about themselves. An A user can then find a B user, using some criteria, and vice versa. These users can then utilise a private forum where only the two of them can post messages. If a user is not registered they cannot upload anything.

My first impression after reading a bit about both htaccess and php logins is that the php system would be better suited this, as it will heavily rely on data about each user and that each user is a registered user. Is this correct?

3)Finally can I just give a rough description of how the php system works just to check if I understand it correctly?

Step 1: Register as a user with username and pw
Step 2: Login with username and pw
Step 3: Session information based on this authenticated user is entered into a session db table
Step 4: Whenever a user tries to view a restricted page, either through direct URL entry, bookmarked page or a link, the session data for the user is checked against the session db table to see if the user is valid?

Now I realise that this is cutting out a lot of information but at a basic level is this how it works? If so where does the user's session data come from to check against the session info in the session db table?

sorry its so long and any help is appreciated thanks

rj
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I generally don't ever see htaccess authentication schemes for a few reasons:

1. Vendor lockin with Apache
2. Usually harder to implement then a regular login system in a manner that is failsafe. Sometimes, even when Apache is installed, the technique will not always work. This can be fine if it's an in-house application, but for distributed applications...
3. .htaccess authentication uses HTTP Basic Authentication, which limits the implementation flexibility but gives you something immediately workable. PHP would use regular POST and COOKIES, so you can do all sorts of things between but you'll have to code it all. What HTTP authentication means, however, is that the username/password are sent to the server every time. Mind you, PHP can do HTTP Basic Authentication too, but Apache has the ability to apply it to non-PHP files
4. Ugly popup dialog asking you to login
5. Here's the cincher: on/off permissions. htaccess files can only say "yes, the user can access the page", or "no, they cannot". PHP has to do the rest.

Regarding two... dating service? ;-) Yes, PHP will have to know about user permissions, and I do not see why not go the whole hog and tie authorization with authentication?

Three: You probably should do some research (in this forum and on the web) about it: there is a lot of literature out there on this, and some things that aren't immediately obvious should definitely be done.

Last question: well... I don't know why you're so insistent on Database Sessions... PHP has builtin session management with $_SESSION. Otherwise, you may be interested in ADOdb.
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

Post by rubberjohn »

thanks for the reply thats cleares a few things up

can you clarifly
tie authorization with authentication
?

also about the last part, its not that i was insistent about using a db, i just thought that was how it works.

so if it can work without a db, after a user successfuly logs in where is the resulting seesion info stored and how is it checked to see if it is valid ie what is it checked against?

sorry again about this basic stuff, they're all topics im familiar with, im just having trouble understanding them - i guess i just need them in plain english - like the htaccess stuff

but again cheers for replying

rj
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

a simple secured page would look something along the lines of

Code: Select all

session_start();

if (!isset($_SESSION['loggedIn'])) {
   header('Location: /login.php');
}
else {
   //the user has access to this else block!!
}
Now when I design my applications, I
I usually wrap these kinds of processes in a page controller, which will initialize a page class (gets pages permissions, and other info such as title from db) and a user class.. which can go several ways.. but in this case has access to the users permission

Code: Select all

if ($page->hasPermission($user->getPermission) && file_exists($requestPage)) { 
   include ('/securedPage.php');
}
else {
   include ('/404.php');
}
page class would look something like

Code: Select all

class page 
{
   var $requestPage;

   function page($requestPage) { 
      $this->requestPage = $requestPage;
   }

   function hasPermission($userPermission) {
      //query db against $this->requestPage
  
      return ($row['permission'] >= $userPermission) ;
   }
}
and user class would look something along the lines of

Code: Select all

class user 
{
   function user() {
      if (!isset($_SESSION['loggedIn'])) {
          $this->userInfo = $_SESSION['user'] = array(
             'userName' => 'Guest', 
             'permission' => 0,
          );
      }
      else {
          //user stuff already exists so no need to set default 
          $this->userInfo = $_SESSION['user'];
      }
   }

   function getPermission() {
      return $this->userInfo['permission'];
   }
}
Might be a bit overkill for this simple task, but definantly something you should be looking into :wink:
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

Post by rubberjohn »

oh right ok i think i can get my head around that cheers

just one more thing when talking about user permissions - is that just a case of having columns in the user table for things like 'UPDATE', 'INSERT' or 'APPEND' and whether the user is allowed to do them

would it be something like this?

Table columns :(Username , User Type, DELETE, INSERT, APPEND, UPDATE)

Table entries:
(user 1 , Admin , Y , Y , Y , Y)
(user 2 , Superuser , N , Y , N , Y)
(user 3 , User , N , N , Y , Y)


Do you know of any resources that explain this aspect of user management instead of just user creation and login stuff? Basically how best to design the admin aspect of the site for managing it?

thanks

rj
Post Reply