I've been developing a simple (protecting nuclear secrets it aint) login /
authentication class library.
This code is designed to -
1. check unname & password are completed
2. check uname & password contain only permitted chars (a-z,1-9)
3. match user against dbase user table
4. generate a unique session token
5. store session token in dbase
6. set client side session cookie
I've attached the code here in the hope that it may be of use to some of
you. I also welcome any feedback regarding problems / security shortcomings
or ways it can be improved.
Happy Coding...
Notes -
-- dbase is postgres (dbase stuff should probably should be abstracted to
make the code platform independant)
-- password encyrption is done using CRYPT_STD_DES rather than md5 because
of legacy data (passwords in current dbase are crypted like this)
Here's the code...
begin index.html >>
<?php
include("./lib/doLogin.inc");
?>
end index.html
begin doLogin.inc >>
<?php
/*
App Name Here -------------------------------------------
doLogin.inc
** login validation / user authentication **
*/
// dbase class
include("./lib/db.inc");
// log class
//include("./lib/log.inc");
$uname = $_POST['uname'];
$pass = $_POST['pass'];
// if login form submitted do authentication
if ((isset($uname)) && (isset($pass))) {
$doLogin = new doLogin($uname,$pass);
} else {
displayLogin();
}
/// -----------------------------------------------------
class doLogin {
function doLogin($uname,$pass) {
$this->uname = $uname;
$this->pass = $pass;
$this->cookieName = "cookieName";
$this->authUser();
}
// validate & authenticate
function authUser(){
// check that both uname & password are complete
$this->loginDataComplete();
// check uname & pass contain only valid chars
$this->validateLogin();
// create dbase object
$db = new db();
// encrypt password
$cryptedpass = crypt($this->pass,"CRYPT_STD_DES");
// select user & password from dbase
$userQuery = pg_exec($db->db, "select oid, adminuser from user where
username = '$this->uname' and pass = '$cryptedpass'");
if (pg_NumRows($userQuery) != 1) {
$this->halt();
} else {
$user_oid = pg_Result($userQuery, 0, "oid");
$this->adminUsr = pg_Result($userQuery, 0, "adminuser");
// generate unique md5 crypted session token
$this->createSessionID();
// write session token 2 user table
$resultSessid = pg_Exec($db->db, "update user set sessid =
'$this->session_id' where oid = $user_oid");
// set session cookie
$this->setSessionCookie();
// authentication complete
// redirect 2 welcome page here
}
}
// check uname & password are not empty
function loginDataComplete(){
if ((!isset($uname)) || (!isset($pass))) {
$this->halt;
} else {
return;
}
}
// do login char validation
function validateLogin() {
if ( (!$isValidUname = $this->validateChars($this->uname)) ||
(!$isValidPass = $this->validateChars($this->pass)) ) {
//$this->halt();
} else {
return;
}
}
// validates login against permitted chars
function validateChars($what){
$isValid = (ereg("^([A-Za-z0-9_]*)$", $what)) ? true : false;
return $isValid;
}
// create unique md5 encrypted session token
function createSessionID() {
srand((double)microtime()*1000000);
$this->session_id = md5(uniqid(rand()));
return;
}
// set cookie with encrypted session token
function setSessionCookie(){
$issetCookie = setcookie($this->cookieName, $this->session_id,
time()+7200); /* expire in 1 hour */
if (!$issetCookie == 1) {
$this->halt();
} else {
return;
}
}
// record logon attempt 2 in log
function recordLogin(){
$log = new log;
$log->record();
}
// halt && display errors
function halt() {
// authentication failed display login form
displayLogin();
// write login attempt to log here
// call 2 optional error msg handler here
}
} // end authentication class
-----------------------------------------------
// login presentation template
function displayLogin() {
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<script language="JavaScript" src="./javascript/common.js"></script>
<script language="JavaScript" src="./javascript/index.js"></script>
</head>
<body onload="init()" leftmargin="0" marginwidth="0" topmargin="0"
marginheight="0">
<div align="center">
<table cellpadding="0" cellspacing="0" border="0">
<tr><td colspan="2"><img src="images/1pix.gif" height="30"
border="0"></td></tr>
<tr><td colspan="2" align="center"><img src="images/nav.gif"
border="0"></td></tr>
<tr><td colspan="2"><img src="images/1pix.gif" height="30"
border="0"></td></tr>
<tr><td colspan="2" align="right"><img src="images/brand.gif"
border="0"></td></tr>
<tr><td colspan="2"><img src="images/1pix.gif" height="30"
border="0"></td></tr>
<tr><td colspan="2" class=text align="center"><img
src="images/temp_nav.gif" border="0"></td></tr>
<tr>
<td width="345"><img src="images/1pix.gif" width="345"
border="0"></td>
<td width="345" align="right" valign="top">
<table cellpadding="0" cellspacing="6" border="0">
<tr><td colspan="2"><img src="images/1pix.gif" height="10"
border="0"></td></tr>
<tr><td width="345" colspan="2"><div class="textTitle">Please
enter your
Username & Password</div></td></tr>
<tr><td colspan="2"><img src="images/1pix.gif" height="10"
border="0"></td></tr>
<form enctype="multipart/form-data" action="./index.html"
method="POST"
name="loginForm" onsubmit="return doLogin(this)" style="margin:0px;
padding:0px;">
<tr>
<td width="72" class="text">username</td>
<td width="273"><input type="text" name="uname"
class="loginForm"
tabindex="1"></td>
</tr>
<tr>
<td class="text">password</td>
<td><input type="Password" name="pass"
class="loginForm"></td>
</tr>
<tr><td colspan="2"><img src="images/1pix.gif" height="2"
border="0"></td></tr>
<tr>
<td></td>
<td><input type="image" src="images/login.gif"
name="doLogin" border="0"
alt="Click Here to Login..." style="cursor: hand;"></td></tr>
</tr>
</form>
<tr><td colspan="2"><img src="images/1pix.gif" height="10"
border="0"></td></tr>
<tr>
<td width="320" colspan="2">
<div class="textTitle">warning:</div>
<div class="text" align="justify">warning
message and legal stuff
here</div>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
<script>
<!--
if (document.forms[0][0].value != '') {
document.forms[0][1].focus();
} else {
document.forms[0][0].focus();
}
// -->
</script>
</html>
<?php
} // end display login
?>
END doLogin.inc //
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
