Chapter 5 Central Authentication System IN THIS CHAPTER ◆ How central authentication works ◆ How to create central login application ◆ How to create central logout application ◆ How to create central authentication database ◆ How to test central login and logout ◆ How to make persistent logins in Web server farms A CENTRAL AUTHENTICATION SYSTEM consists of two applications: login and logout. The login application allows users to login and the logout application is used to ter- minate the login session. This chapter shows you how to build and implement such a system. How the System Works First, let’s take a look at how such a system will work with any of your PHP Application Framework–based applications. Figure 5-1 shows a partial flow dia- gram for a PHP application that requires authentication and authorization. When such an application starts up, it checks to see if the user is already authen- ticated. This is done by checking for the existence of a user session. If such a user session is found, the user is authenticated and the application then performs the authorization check itself. If the user is not authenticated already, she is automati- cally redirected to the authentication system. Similarly, in the authorization phase, if the user is found to be incapable of running the application due to lack of privi- lege, she is redirected to the authentication system. In our PHP Application Framework (PHPAF) model, the authentication applica- tion is called login.php. Figure 5-2 shows how this application works. 121 08 549669 ch05.qxd 4/4/03 9:24 AM Page 121 Figure 5-1: How an application works with the authentication system. Figure 5-2: How the login application works. Start Is valid user? Get User Credentials Create User Session Data Too many Attempts? Count Attempts login.php Yes Yes No Warn user about abuse Redirect the user to the originating application No Start Any PHP Application Yes Yes NoNo Is user authenticated? Is user authorized to access this application? Do application specific tasks Redirect the user to login application 122 Part II: Developing Intranet Solutions 08 549669 ch05.qxd 4/4/03 9:24 AM Page 122 The login application gets the user credentials (username and password) from the GUI and checks the validity of the credentials with a user table in the authentica- tion database. If the user has supplied valid credentials, a user session is created and the user is directed to the application that made the login request. A user is given a set number of chances to log in, and if she doesn’t succeed in providing valid credentials, the login application automatically directs the user to an HTML page which should warn the user about abuse. Like the login application, the central logout application can be linked from any application interface to allow a user to immediately log out. The logout application works as shown in Figure 5-3. Figure 5-3: How the logout application works. The logout application checks if the user is really logged in. If she is logged in, the user session is removed, and if she isn’t, a “Not Logged In” message is displayed. The class level architecture of the central authentication system is shown in Figure 5-4. Here you can see that the login.php application uses a class called class. Authentication.php and a framework class called class.PHPApplication.php to implement its services. The latter class provides database access to the login appli- cation via another framework class called class.DBI.php. Both of these framework classes have been developed in Chapter 4. The session management aspect of login and logout is provided by PHP’s built-in session functionality. Similarly, the logout application uses the class.PHPApplication to implement its logout service. Start Is user logged in? No Yes Terminate session Show "not logged in" logout.php Chapter 5: Central Authentication System 123 08 549669 ch05.qxd 4/4/03 9:24 AM Page 123 In the rest of the chapter we will create necessary classes and develop the login/logout applications to implement the above-mentioned central authentica- tion system. Figure 5-4: Class Level Architecture of the central authentication system. Creating an Authentication Class Listing 5-1 shows the authentication class called class.Authentication.php, which will implement the central authentication system. Listing 5-1: class.Authentication.php <?php /* * * Application class * * @author EVOKNOW, Inc. <php@evoknow.com> * @access public * CVS ID: $Id$ */ include_once $DEBUGGER_CLASS; class Authentication { function Authentication($email = null, $password = null, $db_url = null) { class.Authentication.php class.PHPApplication.php class.DBI.php Central User Database Session Files Session Database Session API login.php Redirected authentication request from applications using the PHP Application Framework logout.php Authenticated requests redirected to the originating applications Redirected requests for logout Successful logouts redirected to home URL 124 Part II: Developing Intranet Solutions 08 549669 ch05.qxd 4/4/03 9:24 AM Page 124 global $AUTH_DB_TBL; $this->status = FALSE; $this->email = $email; $this->password = $password; $this->auth_tbl = $AUTH_DB_TBL; $this->db_url = ($db_url == null) ? null : $db_url; if ($db_url == null) { global $AUTH_DB_TYPE, $AUTH_DB_NAME; global $AUTH_DB_USERNAME, $AUTH_DB_PASSWD; global $AUTH_DB_HOST; $this->db_url = sprintf(“%s://%s:%s@%s/%s”,$AUTH_DB_TYPE, $AUTH_DB_USERNAME, $AUTH_DB_PASSWD, $AUTH_DB_HOST, $AUTH_DB_NAME); } $this->status = FALSE; } function authenticate() { $dbi = new DBI($this->db_url); $query = “SELECT USER_ID, PASSWORD from “ . $this->auth_tbl; $query .= “ WHERE EMAIL = ‘“ . $this->email . “‘ AND ACTIVE = ‘1’”; $result = $dbi->query($query); if ($result != null) { $row = $result->fetchRow(); $salt = substr($row->PASSWORD,0,2); if (crypt($this->password, $salt) == $row->PASSWORD) { Continued Chapter 5: Central Authentication System 125 08 549669 ch05.qxd 4/4/03 9:24 AM Page 125 . null) { class.Authentication .php class.PHPApplication .php class.DBI .php Central User Database Session Files Session Database Session API login .php Redirected authentication request from applications using the PHP Application. class.Authentication .php, which will implement the central authentication system. Listing 5-1: class.Authentication .php < ?php /* * * Application class * * @author EVOKNOW, Inc. < ;php@ evoknow.com> *. in Figure 5-4. Here you can see that the login .php application uses a class called class. Authentication .php and a framework class called class.PHPApplication .php to implement its services. The latter