|
|
Posted by Jochem Maas on 12/07/05 13:52
Michael B Allen wrote:
> Hi,
>
> I scoping out an Internet site project and my primary consideration at
> the moment is authentication infrastructure. Conceptually I was thinking
> about something like the pseudocode at the bottom of this message
> (pardon all the Java-esc typing).
>
> Can PHP do this sort of thing? I'm wondering if there are some classes
> available to do this? I don't think I want to use WWW-Authenticate (at
> least I don't want to use the ugly password dialog) and I certainly don't
> want to authenticate via pam or something like that. I want "as simple
> as possible, but not simpler" type of thing. I have a strong aversion
> to bloatware.
>
> Or am I off track? I normally do pretty low level C type stuff so websites
conceptually? not as far as I can see.
practically speaking:
session and request are not objects in php (you could create userland wrapper
objects for them though), string concatenation is done with a '.',
variables are prefixed with '$', you don't have to declare variable types, etc.
> are new to me (ie. php).
>
> Thanks,
> Mike
>
> int
> handleRequest(Request req)
> {
> Ticket ticket, tmp;
>
> /* If the user already has a ticket associated with their session,
> * just pass through and handle the request
> */
> if ((ticket = req.session.getProperty("ticket")) == null) {
> SqlResults results;
>
> /* If the user has a ticket (embeeded in a cookie) then associate
> * it with their session and pass through and handle the request.
> */
> String cookie = req.getCookie("ticket");
> if (cookie) { /* try ticket from cookie */
> tmp = Ticket.decrypt("12345", cookie);
> results = Sql.exec( /* sql injection vulnerbility, wahoo! */
> "select ssnkey from accounts where emailaddr = " + tmp.emailaddr);
> if (results.size() == 1 && tmp.sshkey == results.getInteger(0)) {
> req.session.setProperty("ticket", tmp);
> ticket = tmp; /* Success! */
> }
> }
>
> if (ticket == null && req.session.isHttps) { /* try new login */
> String emailaddr = req.getParameter("emailaddr");
> String password = req.getParameter("password");
> if (emailaddr && password) {
> results = Sql.exec(
> "select status, password from accounts where emailaddr = " + emailaddr);
> if (results.size() != 1 ||
> results.getString(0) != "valid" ||
> password != results.getString(1)) {
> return sendError(req, ERROR_AUTH_FAILED);
> }
>
> tmp = new Ticket(emailaddr);
> Sql.exec("update accounts set ssnkey = " + tmp.ssnkey +
> " where emailaddr = " + tmp.emailaddr);
> req.setCookie("ticket", ticket.encrypt("12345"));
> req.session.setProperty("ticket", tmp);
> ticket = tmp; /* Success! */
> }
> }
> }
>
> /* null ticket means not logged in / anonymous
> */
> return handleAuthenticatedRequest(req, ticket);
> }
>
Navigation:
[Reply to this message]
|