Use PHPLIB for Session management and authentication

PHPLIB can also do many other things, such as database classes. This article is just a brief introduction to PHPLIB. Many classes and functions are not mentioned. You can go to the http://phplib.netuse.de to get more help documentation

Test environment: Standard Environment

First of all, it is inconvenient to use a Web page to design a program that needs to save the current state of the customer, for example, online Shopping, as a programmer, you must always face the status parameters passed between each home page. The Web homepage does not save the status information for you because of the customer's identity authentication, his/her choices, and his/her current status. You must handle these parameters with caution, this brings us too much inconvenience, using http: // url? Var1 = x1 & var2 = x2 It is too dangerous to transmit parameters between the home pages, especially when variables contain user registration information that is easily sniff. So how can we solve this problem?

PHPLIB solves this problem. It is an extension on PHP3 and provides many class libraries so that programmers can easily create an interactive Web site. The most basic functions of PHPLIB include user authentication, session governance, permission and database abstraction.

You must install php3 on your server before installing PHPLIB. PHPLIB can run in Cgi Mode or apache additional module mode. The PHP3 version must be later than 3.0.5. Earlier versions of PHP3 can be supported by the -- enable-foce-cgi-redirect parameter during compilation. If this is not the case, security issues may occur. In the PHP3 configuration, track_vars needs to be set to enabled. A database is also required. PHPLIB supports MySQL, Oracle, ODBC, PostgreSQL, and Sybase.

Step 1: The PHPLIB class library needs to be initialized according to the system. You can modify the local. inc file, which contains some basic parameters. You can modify the class library based on your own machine.

Let's explain how PHPLIB works. Every page using PHPLIB must first find the required class library file for running PHPLIB. We can set the auto_prepend variable in php3.ini to support it, the PHPLIB distribution package contains a prepend. php3 file, specify auto_prepend as prepend. after php3, the pages will automatically contain the PHPLIB class library. We can also add the directory of the PHPLIB class library to the include variable to locate these files. Of course, the most benzene method is to specify an absolute path. This is not a good idea!

Step 2: you must use the page_open function to initialize each page that uses PHPLIB. This will tell PHPLIB that you will use status save now or in the future. A typical page_open example includes authentication, Session, and permission:

<? Php

Page_open (array ("sess" => "Cms_Session", "auth" => "Cms_Auth", "perm" => "Cms_Perm "));

?>

Array variables (sess, auth, perm) are used to initialize some state-saving objects. Note: you must use the PHPLIB built-in names (sess, auth, perm. as defined in ini, The page_open function must be called before the page content is output to the browser. (If you will not use authentication in the future, you can not initialize sess). The php3 script should end with page_close (), which will write the relevant status data back to the database, if you forget it, it will happen...

Because PHPLIB uses Cookies to store status information, the page_open () function must be called before the page content is output to the browser. The page content here can be any HTML information or empty rows, if you find the error "Oops-SetCookie called after header has been sent", it indicates what is output to the browser before page_open (), and you should pay special attention to empty rows, because it is very difficult to find, the typical error is <? And?> Empty lines are output between tags. Check whether empty lines are included in the local. inc and prepend. php3 files. This is also a very easy error.

PHP uses a more complex architecture than the basic authentication method, which ensures security.

For example, if you want to restrict access to a page, page_open will first be used to call "auth" => "auth_class". After the authentication status object is initialized, the status will be saved, then, when the customer visits another page, the authentication system first checks whether the user's identity has been authenticated.

Let's explain that when a user visits the page for the first time, his identity has not been authenticated, PHPLIB will call a registration window (not a WINDOWS pop-up window ), you can design the registration window style by yourself. After the user enters his username and password and presses the submit button, the authentication starts, and the subsequent situation is somewhat complicated, let's explain ......

In two cases, if the user's browser is not compatible with JavaScript, authentication is like asking a suspect. the user name and password are sent to the server and compared with the data stored there. If your browser is compatible with JavaScript, it will be a little troublesome. PHPLIB will first put a seed string for encryption in the client's page named "challenge ", when a user submits the page, the user name, password, and challenge string are encrypted using md5 encryption to generate an encrypted string and submit the encrypted string and user name to the server. After receiving the username and encrypted string, the server performs md5 calculation based on the username and password in the database and the obtained seed. The generated string is compared with the string submitted by the user, if yes, it indicates that the user's identity is correct, and the user is allowed to perform subsequent access. The advantage of this method is that the user does not need to submit a password, which makes authentication safer.

Session governance

In fact, Session governance is very similar to identity authentication. When a user's identity authentication is passed, the user's session starts. If the user's browser supports cookies, put the session id that will be created into the cookie. The unique ID is randomly generated by PHP3, and then the Random Seed is used.

The string has been md5 encrypted. The cookie here should be called session cookie, because this cookie will not be written to the user's hard disk. When a session is complete, the cookie is also complete. If the user's browser does not support cookies, the session id will be put into the url chain. Because the session id is encrypted, it is useless to steal it. Session id stores user information, such as user authentication, authentication expiration time, user permissions, and other information you may need, which is convenient for us to use.

A Session is a user's Session process. Session governance is not just used to track user registration. In fact, it can also be used out of authentication. You can use it to store any information you want to store, this information can be used in subsequent pages, provided that PHPLIB is used for those pages. The method is simple. After registering a variable, you can use it on the subsequent page until the session ends. Method:


<? Php $ sess-> register ("variable_name");?>

Note: Here, variable_name is not a variable value, but a variable name. You can specify a variable name before assigning a value. You can change the value of a variable on a page. Then, when you access the variable on the page, you will get the changed value. Variable types are diverse. They can be a string, a number, an array, or even an object. For example:

<? Php

$ Sess-> register ("first ");

If (check ($ firstname )){

$ First = $ firstname;