User Authentication With Apache And PHP
(Page 1 of 11 )
A long, long time ago, during my early days with Web application development, I was asked to write an administration module for a Web site. This module was to be available only to site administrators, and so required user authentication, or login, at the entry point itself. I didn't know much about Web development at the time, but I did my best and handed the code over to the QA people for testing.
As it turned out, my user authentication module had enough security holes in it to drive a few hundred dump trucks through. I spent the next week plugging those holes, and along the way learnt a number of valuable things about access control - most notably, that it's not as easy or as obvious as you might think.
There are a number of reasons why you might want to add user authentication to your Web site. You might want to restrict access to certain pages only to a specific group of privileged users. You might want to customize the content on your site as per user preferences. Or you might just want to track user movement between the pages of your site. Regardless of why you want to add it, you should know how to go about doing it reliably and efficiently.
That's where this article comes in. Over the next few pages, I'll be showing you how to authenticate users, maintain session information and handle login/logout operations, using both built-in Apache authentication and custom PHP code. So keep reading.{mospagebreak title=Of Myth And Men} Before we get into the nitty-gritty of code and syntax, there's one very important thing that you should be aware of. It's a common myth among newbie developers that access control is merely a matter of verifying a user's password once, and allowing or denying access to a single page based on the results of that verification. While this description is certainly true, it's also incomplete, as it fails to address the matter of re-verifying user credentials on all subsequent, linked pages after the initial user login.
In real-world development projects, access control typically involves writing code to handle the following events:
1. Initial user verification and session creation (login): The first time a user logs in to a Web site, a Web application must be capable of requesting the user's credentials (usually a unique username/password combination), and allowing or denying access based on these credentials. This step also involves the creation of a persistent user "session", which stores user variables across multiple HTTP transactions.
2. Session maintenance and re-verification of user credentials: Once a user has logged in successfully, the application must be able to re-verify the user's credentials, on a per-page or per-script basis, and allow or deny access to specific pages or scripts based on this user data (the session created at the first step comes in very handy here). At the very least, the application must check to ensure the existence of a valid user session; more complex applications may additionally perform second-tier checks to ensure that the user has appropriate permissions or security privileges to execute the script or view the page.
3. Session destruction (logout): The application must provide the user with the ability to log out and thereby destroy all user-specific session variables created during the first step. Though this is the last step in the process, its importance cannot be underrated; omitting it can have serious repercussions on the security of your Web application.
In order for a Web application to be considered even marginally secure, it must address all three of the requirements above.
Next: Back To Basics >>
More PHP Articles
More By The Disenchanted Developer, (c) Melonfire
/ 54 
