Use PHPLIB for Session management and authentication

Source: Internet
Author: User
Tags php3 file random seed
PHPLIB can also do many other things, such as database classes. This article is just a brief introduction to PHPLIB. Many classes and functions are not mentioned. You can go to the http://phplib.netuse.de to get more help documentation --------------------------------------------------------------------- PHPLIB can also do a lot of other things, such as database class. This article is just a brief introduction to PHPLIB. Many classes and functions are not mentioned. You can go to the http://phplib.netuse.de to get more help documentation
---------------------------------------------------------------------
Test Environment: standard environment

First of all, it is inconvenient to use a Web page to design a program that needs to save the current state of the customer, for example, online Shopping, as a programmer, you must always face the status parameters passed between each home page. The Web homepage does not save the status information for you because of the customer's identity authentication, his/her choices, and his/her current status. you must handle these parameters with caution, this brings us too much inconvenience, using http: // url? Var1 = x1 & var2 = x2 It is too dangerous to transmit parameters between the home pages, especially when variables contain user registration information, it is easy to be sniff. so how can we solve this problem?

PHPLIB solves this problem. it is an extension on PHP3 and provides many class libraries so that programmers can easily create an interactive Web site, PHPLIB has the following basic functions: user authentication, Session management, permission abstraction, and database abstraction.

You must install php3 on your server before installing PHPLIB. PHPLIB can run in Cgi mode or apache additional module mode. The PHP3 version must be later than 3.0.5. earlier versions of PHP3 can be supported by the -- enable-foce-cgi-redirect parameter during compilation. otherwise, security issues may occur. In the PHP3 configuration, track_vars needs to be set to enabled. A database is also required. PHPLIB supports MySQL, Oracle, ODBC, PostgreSQL, and Sybase.

Step 1: The PHPLIB class library needs to be initialized according to the system. you can modify the local. inc file, which contains some basic parameters. you can modify the class library based on your own machine.

Let's explain how PHPLIB works. every page using PHPLIB must first find the required class library file for running PHPLIB. we can set the auto_prepend variable in php3.ini to support it, the PHPLIB distribution package contains a prepend. php3 file, specify auto_prepend as prepend. after php3, the pages will automatically contain the PHPLIB class library. we can also add the Directory of the PHPLIB class library to the include variable to locate these files. of course, the most benzene method is to specify an absolute path. this is not a good idea!

Step 2: You must use the page_open function to initialize each page that uses PHPLIB. This will tell PHPLIB that you will use status save now or in the future. A typical page_open example includes authentication, Session, and permission:

<? Php
Page_open (array ("sess" => "Cms_Session", "auth" => "Cms_Auth", "perm" => "Cms_Perm "));
?>

Array variables (sess, auth, perm) are used to initialize some State-saving objects. note: you must use the PHPLIB built-in names (sess, auth, perm. as defined in ini, the page_open function must be called before the page content is output to the browser. (If you will not use authentication in the future, you can not initialize sess.) the php3 script should end with page_close (), which will write the relevant status data back to the database, if you forget it, it will...

Because PHPLIB uses Cookies to store status information, the page_open () function must be called before the page content is output to the browser. the page content here can be any HTML information or empty rows, if you find the error "Oops-SetCookie called after header has been sent", this indicates what is output to the browser before page_open (). pay special attention to empty rows, because it is very difficult to find, the typical error is <? And?> Empty lines are output between tags. you should check whether empty lines are included in the local. inc and prepend. php3 files, which is also a very error-prone place.

PHP uses a more complex architecture than the basic authentication method, which ensures security.

For example, if you want to restrict access to a page, page_open will first be used to call "auth" => "auth_class". after the authentication status object is initialized, the status will be saved, then, when the customer visits another page, the authentication system first checks whether the user's identity has been authenticated.

Let's explain that when a user visits the page for the first time, his identity has not been authenticated, PHPLIB will call a registration window (not a WINDOWS pop-up window ), you can design the registration window style by yourself. after the user enters his username and password and presses the submit button, the authentication starts, and the subsequent situation is somewhat complicated, let's explain ......

In two cases, if the user's browser is not compatible with JavaScript, authentication is like asking a suspect. the user name and password are sent to the server and compared with the data stored there. If your browser is compatible with JavaScript, it will be a little troublesome. PHPLIB will first put a seed string for encryption in the client's page named "challenge ", when a user submits the page, the user name, password, and challenge string are encrypted using md5 encryption to generate an encrypted string and submit the encrypted string and user name to the server. After receiving the username and encrypted string, the server performs md5 calculation based on the username and password in the database and the obtained seed. the generated string is compared with the string submitted by the user, if the identity is correct, subsequent access is allowed. The advantage of this method is that the user does not need to submit a password, which makes authentication safer.

Session Management
In fact, Session management is very similar to identity authentication. when a user's identity authentication is passed, the user's session starts. if the user's browser supports cookies, put the session id that will be created into the cookie. the unique ID is randomly generated by PHP3, and then the random seed is used.
The string has been md5 encrypted. the cookie here should be called session cookie, because this cookie will not be written to the user's hard disk. when a session is complete, the cookie is also complete. If the user's browser does not support cookies, the session id will be put into the url chain. because the session id is encrypted, it is useless to steal the session. Session id stores user information, such as user authentication, authentication expiration time, user permissions, and other information you may need, which is convenient for us to use.

A Session is a user's Session process. Session management is not just used to track user registration. In fact, it can also be used out of authentication. you can use it to store any information you want to store, this information can be used in subsequent pages, provided that PHPLIB is used for those pages. The method is simple. after registering a variable, you can use it on the subsequent page until the session ends. Method:

<? Php $ sess-> register ("variable_name");?>

Note: Here, variable_name is not a variable value, but a variable name. you can specify a variable name before assigning a value. You can change the value of a variable on a page. Then, when you access the variable on the page, you will get the changed value. Variable types are diverse. they can be a string, a number, an array, or even an object. For example:

<? Php
$ Sess-> register ("first ");
If (check ($ firstname )){
$ First = $ firstname;
}
?>

Note: This is important. You can register a variable first and then assign values to it. this is very effective. we can define the variable anywhere in the script without assigning values, but assign values on subsequent pages, this allows you to define variables in a centralized manner. As you may have noticed, in the above example, we do not simply assign values to variables, which is safe. you should not put form data into variables rashly. In the above example, we checked the variables before assigning values to the variables. This is a good habit. Everyone should pay attention to it.

After registering a variable, when the page finally calls the page_close () function, each session variable will be written back to the database. if you forget to call the page_close () function, variables will not be written back to the database, and unknown consequences will occur. After a variable is used, you do not need to use it. you can call the following function to delete the variable:

<? Php
$ Sess-> unregister ("variable_name ");
?>

PHPLIB 7.0 uses a storage structure that allows you to store session data to databases, shared memory, or LDAP. PHPLIB uses database classes, which gives you more options.

Permission management
Permissions are inseparable from authentication. After a user's identity is confirmed, you can determine his or her level and permissions. Of course, you must first call page_open to initialize the "perm" object. The command to check user permissions is as follows:

<? Php
$ Perm-> check ("permission_level ");
?>

This command will check whether the user meets your specified level. the specified level should be defined in the local. inc file. you can define various levels by yourself. If the user is checked for a non-conformity level. Then the perm_invalid () function is automatically called. You can create your own perm_invalid function.

The following is another method for checking permissions in PHPLIB:

<? Php
$ Perm-> have_perm ("permission_level ");
?>

Have_perm is different from the check function. it only returns true or false, but does not exit the script, so that we can better control the program flow.

<? Php
If ($ perm-> have_perm ("guest "))
{// Do something ;}
Elseif ($ perm-> have_perm ("admin "))
{// Do something else ;}
Else {// yet something else ;}
?>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.