|  | Posted by Michael B Allen on 06/18/60 11:33 
Hi,
 I scoping out an Internet site project and my primary consideration at
 the moment is authentication infrastructure. Conceptually I was thinking
 about something like the pseudocode at the bottom of this message
 (pardon all the Java-esc typing).
 
 Can PHP do this sort of thing? I'm wondering if there are some classes
 available to do this? I don't think I want to use WWW-Authenticate (at
 least I don't want to use the ugly password dialog) and I certainly don't
 want to authenticate via pam or something like that. I want "as simple
 as possible, but not simpler" type of thing. I have a strong aversion
 to bloatware.
 
 Or am I off track? I normally do pretty low level C type stuff so websites
 are new to me (ie. php).
 
 Thanks,
 Mike
 
 int
 handleRequest(Request req)
 {
 Ticket ticket, tmp;
 
 /* If the user already has a ticket associated with their session,
 * just pass through and handle the request
 */
 if ((ticket = req.session.getProperty("ticket")) == null) {
 SqlResults results;
 
 /* If the user has a ticket (embeeded in a cookie) then associate
 * it with their session and pass through and handle the request.
 */
 String cookie = req.getCookie("ticket");
 if (cookie) {        /* try ticket from cookie */
 tmp = Ticket.decrypt("12345", cookie);
 results = Sql.exec( /* sql injection vulnerbility, wahoo! */
 "select ssnkey from accounts where emailaddr = " + tmp.emailaddr);
 if (results.size() == 1 && tmp.sshkey == results.getInteger(0)) {
 req.session.setProperty("ticket", tmp);
 ticket = tmp; /* Success! */
 }
 }
 
 if (ticket == null && req.session.isHttps) { /* try new login */
 String emailaddr = req.getParameter("emailaddr");
 String password = req.getParameter("password");
 if (emailaddr && password) {
 results = Sql.exec(
 "select status, password from accounts where emailaddr = " + emailaddr);
 if (results.size() != 1 ||
 results.getString(0) != "valid" ||
 password != results.getString(1)) {
 return sendError(req, ERROR_AUTH_FAILED);
 }
 
 tmp = new Ticket(emailaddr);
 Sql.exec("update accounts set ssnkey = " + tmp.ssnkey +
 " where emailaddr = " + tmp.emailaddr);
 req.setCookie("ticket", ticket.encrypt("12345"));
 req.session.setProperty("ticket", tmp);
 ticket = tmp; /* Success! */
 }
 }
 }
 
 /* null ticket means not logged in / anonymous
 */
 return handleAuthenticatedRequest(req, ticket);
 }
  Navigation: [Reply to this message] |