Use Phplib for session management and certification

Source: Internet
Author: User
Tags auth empty ini session id php3 file random seed unique id versions

Test environment: Standard environment

The first thing to illustrate is that it is extremely inconvenient to use a Web page to design a program that needs to save the current state of the customer, such as online shopping, and as a programmer, you must always face the status parameters passed between each home page. The identity of the customer, the choice he made, his current status, etc., the Web home page will not save you these status information, you must carefully handle these parameters, which brings us too much inconvenience, using http://url?var1=x1&var2=x2 To transfer the parameters between the main page is too dangerous, especially when the variable contains user registration information is easy to be sniff, then how can we solve this problem?

Phplib solves this problem, it is an extension on PHP3, it provides a lot of class libraries, making it easy for programmers to build an interactive web site, Phplib Most basic functions include user authentication, session management, permissions and database abstraction.

Before installing phplib You must install the Php3,phplib on your server before you can run it in CGI mode or Apache add-on module mode. PHP3 versions must be on top of 3.0.5, PHP3 earlier versions can be supported by using parameter--enable-foce-cgi-redirect at compile time, and if not, security issues arise. Track_vars needs to be set to Enabled in the PHP3 configuration. Also requires a database, phplib support MySQL, Oracle, ODBC, PostgreSQL, Sybase.

The first step, the Phplib class library needs to initialize according to the system, you can modify the Local.inc file, which contains some basic parameters, you can modify according to the situation of your own machine.

We explain the working principle of phplib, every page that uses phplib must first find the required class library file running Phplib, we can set auto_prepend variable to support in Php3.ini, The Phplib distribution contains a prepend.php3 file that will Auto_ Prepend specified as PREPEND.PHP3, each page will automatically contain the Phplib class library, we can also add the Phplib Class Library directory into the include variable, so that you can find these files, of course, the most benzene way is to specify absolute path, this is not a good idea!

In the second step, for each page that uses phplib, you must initialize using the function Page_open. This will tell Phplib that you will use state saving now or in the future. A typical Page_open example includes authentication, session, and permissions:

< ?php
page_open(array( "sess" => "Cms_Session", "auth" => "Cms_Auth", "perm" => "Cms_Perm"));
?>

The array variable (sess,auth,perm) is used to initialize some state-saving objects, noting that you must use the Phplib built-in name (Sess,auth,perm), which you define in Local.ini, Page_ The open function must be invoked before the page content is exported to the browser. (If you do not use authentication in the future, you can not initialize Sess), the php3 script should end with Page_close (), which will write the status data back to the database, if you forget, will, hahaha.

Because Phplib uses cookies to hold state information, the Page_open () function must be called before the page content is exported to the browser, where the page content can be any HTML information or a blank line, if you find the error "Oops-setcookie Called after header has been sent ", which indicates what was exported to the browser before Page_open (), you should pay special attention to the empty line, because it is very difficult to find, the typical error is <? and?> tags, you should check whether the Local.inc and prepend.php3 files contain empty lines, which is also a very error-prone place.

PHP uses a more complex architecture than the Basic authentication method, which gives security a better guarantee.

For example, for a page that you want to restrict access to, you first use Page_open to invoke the "auth" => "Auth_class", and when you initialize the authentication state object, the state is saved, and then when the customer visits another page, The authentication system will first detect whether the user's identity has been authenticated.

Let's explain, when a user accesses the page for the first time, his identity is not authenticated, Phplib calls a registration window (not a pop-up window in Windows), you can design the style of the registration window yourself, when the user enters his username and password, and presses the submit button, The work of identity authentication began, and then the situation was a little complicated, let's explain slowly ...

In two cases, if the user's browser is not compatible with JavaScript, the authentication work is like asking a suspect, and the username and password are sent to the server and compared to the data stored there. If the user's browser is compatible with JavaScript, this is a bit of a hassle, phplib first puts a seed string in the client's page, called "Challenge", when the user submits the page, the user's username, Passwords and challenge strings are encrypted using MD5 encryption, generating an encrypted string that submits the encrypted string to the server with the user name. When the server receives the username and the encrypted string, he MD5 operations based on the username and password in the database and the resulting seed, comparing the generated string to the user-submitted string and, if so, the user's identity is correct, allowing the user to make subsequent visits. The advantage of this approach is that users do not have to submit a password, which makes authentication more secure.

Session Management

In fact, the session of the management and identity authentication is very close, when a user's identity authenticated, then the user's session began, if the user's browser support cookies, will establish a session of the ID into a cookie, This unique ID is randomly generated by PHP3, and then the random seed

String is MD5 encrypted, the cookie here should be called the session cookie, because the cookie is not written to the user's hard drive, and when a session is finished, the cookie is also ended. If the user's browser does not support cookies, then the session ID will be placed in the URL chain, because it is encrypted, so it is useless to steal it. The session ID holds information about the user, such as user authentication, authentication expiration, user rights, and other information you may need to facilitate our access.

Session is actually the process of a user conversation. Session management is not only used to track the user's registration, but it can also be used in isolation from authentication, and you can use it to store any information you want, which can be used in the pages that users subsequently visit, assuming that those pages use Phplib. The method is simple enough to register a variable to use it on subsequent pages until the session ends. Method:

< PHP $sess->register ("variable_name");?>

Note that the variable_name is not a variable value, but a variable name, and you can specify the variable name and then assign the value. You can change the value of a variable on a page, and the subsequent page will get a change when it accesses the variable. The types of variables are diverse and can be a string, a number, an array, or even an object. For example, Ming:

< ?php
$sess->register( "first");
if (check($firstname)) {
$first = $firstname;
}
?>

Note: It's important here. You can register a variable and then assign a value to it, which is very effective, we can define variables anywhere in the script without assigning values, and then assign values in subsequent pages, which makes it easy to centrally define variables. You may notice that in the above example we do not have a simple assignment to a variable, and you should not lightly put the form data into a variable in a safe way. In the example above, we examine the variable before assigning a value to the variable. It's a good habit. Everyone should pay attention.

After registering a variable, when the page finally calls the Page_close () function, each session variable will be written back to the database, if you forget to call the Page_close () function, the variable will not be written back to the database, the consequences of the unknown. When the variable is used and you don't need it, you can call the following function to delete the variable:

< ?php
$sess->unregister( "variable_name");
?>

In Phplib 7.0, a storage structure is used that allows you to store session data in a database, in shared memory, or in LDAP. Phplib uses a database class, which allows you to have more choices.

Rights Management

Permissions are inseparable from authentication. When a user's identity is confirmed, you can then go on to determine his level and permissions. Of course, you must first call Page_open to initialize the "Perm" object. The commands for checking user permissions are as follows:

< ?php
$perm->check( "permission_level");
?>

This command checks to see if the user meets the level you specify, and the specified level should be defined in the Local.inc file, and you can define the various levels yourself. If the user is checked out of a level that is not compliant. The Perm_invalid () function is invoked automatically. You can build your own perm_invalid function.

The following is another way to check permissions in Phplib:

< ?php
$perm->have_perm( "permission_level");
?>

Unlike the check function, Have_perm only returns TRUE or false, but does not exit the script, so that we can better control the process.

< ?php
if ($perm->have_perm( "guest"))
{ //do something; }
elseif ($perm->have_perm( "admin"))
{ //do something else; }
else { //yet something else; }
?>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.