Hi,
I'm trying to get my head around php security (surprise surprise), and I have a few questions that im sure are obvious ones:
1)What is the difference between using htaccess or a php system for a login system for a website? ie what scenarios are they used in?
2)The system I will be creating has two groups of users (A and B) that will be able to upload profiles about themselves. An A user can then find a B user, using some criteria, and vice versa. These users can then utilise a private forum where only the two of them can post messages. If a user is not registered they cannot upload anything.
My first impression after reading a bit about both htaccess and php logins is that the php system would be better suited this, as it will heavily rely on data about each user and that each user is a registered user. Is this correct?
3)Finally can I just give a rough description of how the php system works just to check if I understand it correctly?
Step 1: Register as a user with username and pw
Step 2: Login with username and pw
Step 3: Session information based on this authenticated user is entered into a session db table
Step 4: Whenever a user tries to view a restricted page, either through direct URL entry, bookmarked page or a link, the session data for the user is checked against the session db table to see if the user is valid?
Now I realise that this is cutting out a lot of information but at a basic level is this how it works? If so where does the user's session data come from to check against the session info in the session db table?
sorry its so long and any help is appreciated thanks
rj
htaccess vs php login
Moderator: General Moderators
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
I generally don't ever see htaccess authentication schemes for a few reasons:
1. Vendor lockin with Apache
2. Usually harder to implement then a regular login system in a manner that is failsafe. Sometimes, even when Apache is installed, the technique will not always work. This can be fine if it's an in-house application, but for distributed applications...
3. .htaccess authentication uses HTTP Basic Authentication, which limits the implementation flexibility but gives you something immediately workable. PHP would use regular POST and COOKIES, so you can do all sorts of things between but you'll have to code it all. What HTTP authentication means, however, is that the username/password are sent to the server every time. Mind you, PHP can do HTTP Basic Authentication too, but Apache has the ability to apply it to non-PHP files
4. Ugly popup dialog asking you to login
5. Here's the cincher: on/off permissions. htaccess files can only say "yes, the user can access the page", or "no, they cannot". PHP has to do the rest.
Regarding two... dating service?
Yes, PHP will have to know about user permissions, and I do not see why not go the whole hog and tie authorization with authentication?
Three: You probably should do some research (in this forum and on the web) about it: there is a lot of literature out there on this, and some things that aren't immediately obvious should definitely be done.
Last question: well... I don't know why you're so insistent on Database Sessions... PHP has builtin session management with $_SESSION. Otherwise, you may be interested in ADOdb.
1. Vendor lockin with Apache
2. Usually harder to implement then a regular login system in a manner that is failsafe. Sometimes, even when Apache is installed, the technique will not always work. This can be fine if it's an in-house application, but for distributed applications...
3. .htaccess authentication uses HTTP Basic Authentication, which limits the implementation flexibility but gives you something immediately workable. PHP would use regular POST and COOKIES, so you can do all sorts of things between but you'll have to code it all. What HTTP authentication means, however, is that the username/password are sent to the server every time. Mind you, PHP can do HTTP Basic Authentication too, but Apache has the ability to apply it to non-PHP files
4. Ugly popup dialog asking you to login
5. Here's the cincher: on/off permissions. htaccess files can only say "yes, the user can access the page", or "no, they cannot". PHP has to do the rest.
Regarding two... dating service?
Three: You probably should do some research (in this forum and on the web) about it: there is a lot of literature out there on this, and some things that aren't immediately obvious should definitely be done.
Last question: well... I don't know why you're so insistent on Database Sessions... PHP has builtin session management with $_SESSION. Otherwise, you may be interested in ADOdb.
-
rubberjohn
- Forum Contributor
- Posts: 193
- Joined: Fri Feb 25, 2005 4:03 am
thanks for the reply thats cleares a few things up
can you clarifly
also about the last part, its not that i was insistent about using a db, i just thought that was how it works.
so if it can work without a db, after a user successfuly logs in where is the resulting seesion info stored and how is it checked to see if it is valid ie what is it checked against?
sorry again about this basic stuff, they're all topics im familiar with, im just having trouble understanding them - i guess i just need them in plain english - like the htaccess stuff
but again cheers for replying
rj
can you clarifly
?tie authorization with authentication
also about the last part, its not that i was insistent about using a db, i just thought that was how it works.
so if it can work without a db, after a user successfuly logs in where is the resulting seesion info stored and how is it checked to see if it is valid ie what is it checked against?
sorry again about this basic stuff, they're all topics im familiar with, im just having trouble understanding them - i guess i just need them in plain english - like the htaccess stuff
but again cheers for replying
rj
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
a simple secured page would look something along the lines of
Now when I design my applications, I
I usually wrap these kinds of processes in a page controller, which will initialize a page class (gets pages permissions, and other info such as title from db) and a user class.. which can go several ways.. but in this case has access to the users permission
page class would look something like
and user class would look something along the lines of
Might be a bit overkill for this simple task, but definantly something you should be looking into 
Code: Select all
session_start();
if (!isset($_SESSION['loggedIn'])) {
header('Location: /login.php');
}
else {
//the user has access to this else block!!
}I usually wrap these kinds of processes in a page controller, which will initialize a page class (gets pages permissions, and other info such as title from db) and a user class.. which can go several ways.. but in this case has access to the users permission
Code: Select all
if ($page->hasPermission($user->getPermission) && file_exists($requestPage)) {
include ('/securedPage.php');
}
else {
include ('/404.php');
}Code: Select all
class page
{
var $requestPage;
function page($requestPage) {
$this->requestPage = $requestPage;
}
function hasPermission($userPermission) {
//query db against $this->requestPage
return ($row['permission'] >= $userPermission) ;
}
}Code: Select all
class user
{
function user() {
if (!isset($_SESSION['loggedIn'])) {
$this->userInfo = $_SESSION['user'] = array(
'userName' => 'Guest',
'permission' => 0,
);
}
else {
//user stuff already exists so no need to set default
$this->userInfo = $_SESSION['user'];
}
}
function getPermission() {
return $this->userInfo['permission'];
}
}-
rubberjohn
- Forum Contributor
- Posts: 193
- Joined: Fri Feb 25, 2005 4:03 am
oh right ok i think i can get my head around that cheers
just one more thing when talking about user permissions - is that just a case of having columns in the user table for things like 'UPDATE', 'INSERT' or 'APPEND' and whether the user is allowed to do them
would it be something like this?
Table columns :(Username , User Type, DELETE, INSERT, APPEND, UPDATE)
Table entries:
(user 1 , Admin , Y , Y , Y , Y)
(user 2 , Superuser , N , Y , N , Y)
(user 3 , User , N , N , Y , Y)
Do you know of any resources that explain this aspect of user management instead of just user creation and login stuff? Basically how best to design the admin aspect of the site for managing it?
thanks
rj
just one more thing when talking about user permissions - is that just a case of having columns in the user table for things like 'UPDATE', 'INSERT' or 'APPEND' and whether the user is allowed to do them
would it be something like this?
Table columns :(Username , User Type, DELETE, INSERT, APPEND, UPDATE)
Table entries:
(user 1 , Admin , Y , Y , Y , Y)
(user 2 , Superuser , N , Y , N , Y)
(user 3 , User , N , N , Y , Y)
Do you know of any resources that explain this aspect of user management instead of just user creation and login stuff? Basically how best to design the admin aspect of the site for managing it?
thanks
rj