|
|
Posted by Michael B Allen on 10/11/60 11:33
Hi,
I scoping out an Internet site project and my primary consideration at
the moment is authentication infrastructure. Conceptually I was thinking
about something like the pseudocode at the bottom of this message
(pardon all the Java-esc typing).
Can PHP do this sort of thing? I'm wondering if there are some classes
available to do this? I don't think I want to use WWW-Authenticate (at
least I don't want to use the ugly password dialog) and I certainly don't
want to authenticate via pam or something like that. I want "as simple
as possible, but not simpler" type of thing. I have a strong aversion
to bloatware.
Or am I off track? I normally do pretty low level C type stuff so websites
are new to me (ie. php).
Thanks,
Mike
int
handleRequest(Request req)
{
Ticket ticket, tmp;
/* If the user already has a ticket associated with their session,
* just pass through and handle the request
*/
if ((ticket = req.session.getProperty("ticket")) == null) {
SqlResults results;
/* If the user has a ticket (embeeded in a cookie) then associate
* it with their session and pass through and handle the request.
*/
String cookie = req.getCookie("ticket");
if (cookie) { /* try ticket from cookie */
tmp = Ticket.decrypt("12345", cookie);
results = Sql.exec( /* sql injection vulnerbility, wahoo! */
"select ssnkey from accounts where emailaddr = " + tmp.emailaddr);
if (results.size() == 1 && tmp.sshkey == results.getInteger(0)) {
req.session.setProperty("ticket", tmp);
ticket = tmp; /* Success! */
}
}
if (ticket == null && req.session.isHttps) { /* try new login */
String emailaddr = req.getParameter("emailaddr");
String password = req.getParameter("password");
if (emailaddr && password) {
results = Sql.exec(
"select status, password from accounts where emailaddr = " + emailaddr);
if (results.size() != 1 ||
results.getString(0) != "valid" ||
password != results.getString(1)) {
return sendError(req, ERROR_AUTH_FAILED);
}
tmp = new Ticket(emailaddr);
Sql.exec("update accounts set ssnkey = " + tmp.ssnkey +
" where emailaddr = " + tmp.emailaddr);
req.setCookie("ticket", ticket.encrypt("12345"));
req.session.setProperty("ticket", tmp);
ticket = tmp; /* Success! */
}
}
}
/* null ticket means not logged in / anonymous
*/
return handleAuthenticatedRequest(req, ticket);
}
[Back to original message]
|