Authentication | Administration | Methods
Authentication with HttpAuthPlus
Any file that
you wish to protect must first have the 'HttpAuthPlus_class.php' included
in it.
To do this simply add the following to the top of any php document that needs
protecting: require_once('path/HttpAuthPlus_class.php');
Take
note of these files as you will be adding some additional code to do the actual
authenticating later. This step simply gives the script the ability
to use the Authentication features of HttpAuthPlus. After that you must decide
what authentication scheme you are going to use...
HttpAuthPlus
has two modes of authenticating:
1.
Using HttpAuthPlus to authenticate against a flat-file.If using this
method you do not need to include the PEAR DB.php file, so open HttpAuthPlus_class.php
in your favorite php editor and comment out the line underneath the copywrite
that reads: require_once('DB.php');
It should now
look like: #require_once('DB.php');
The next step
is creating an instance of the HttpAuthPlus object, and setting a few parameters
before we actually perfom the authentication. We do this by adding the following
to the top (anywhere before any output is sent to the browser is fine): $login = new HttpAuthPlus;
$login->setAuthType('file');
$login->setAuthFile('C:\pathto\passwordfile.txt');
$login->AuthUser();
# the rest of your
# 'protected' code here...
The above example
is pretty straight forward. $login = new HttpAuthPlus; // creates a new instance of the HttpAuthPlus object
$login->setAuthType('file'); // sets the authentication against a flat-file instead of database(default)
$login->setAuthFile('C:\pathto\passwordfile.txt'); // the file to authenticate against; if it does not exist, it is created.
$login->AuthUser(); // performs the actual authentication.
The default format
of the file created by HttpAuthPlus is: username|password|email\n
This field delimeter
can be altered using the setFieldDel($delimeter) method. If
you do decide to use an alternate delimeter when first creating your password
file, all subsequent authentication,add,edit,delete methods must have the setFieldDel($delimeter)
set to match what is currently being used for the password file. This must
be done before making any calls to the authenticate,add,edit,delete methods.The
default is the '|' character.
By default HttpAuthPlus
stores passwords in plain text. This is a security risk, and you should encrypt
your passwords by using the setAuthEncrypt() method to change the default
behavior. This is done like so: $login = new HttpAuthPlus;
$login->setAuthType('file');
$login->setAuthFile('C:\pathto\passwordfile.txt');
$login->setAuthEncrypt('crypt');
$login->AuthUser();
# the rest of your
# 'protected' code here...
Notice the 4th
line: $login->setAuthEncrypt('crypt');
This changes
the way in which passwords are stored & compared from plain-text to an
encrypted form. It uses the first two letters of the username for salt & php's crypt() function. This only protects against the password file
itself being directly read. Packet sniffers will still be able to pick the
username & password on their way to the server. Refer to
Method
Documentation for further details and options for file-based authentication.
2.
Using HttpAuthPlus to authenticate against a database.If using this
method (the default) you need to include the PEAR DB.php file, so if it is
not already in your PATH, open HttpAuthPlus_class.php in your favorite php
editor and edit the line underneath the copywrite that reads:
require_once('DB.php');
To point to 'DB.php'.
After
that we create an instance of the HttpAuthPlus object, set a few parameters
and authenticate. This is done by adding the following lines to the top (before
any output to the browser) of any script you wish to protect:
$login = new HttpAuthPlus;
$login->setAuthEncrypt('crypt');
$login->setDbType('mysql');
$login->setDbHost('localhost');
$login->setDbUser('username');
$login->setDbPass('password');
$login->setDbName('databasename');
$login->setUsernameField('username_field');
$login->setPasswordField('password_field');
$login->setEmailField('email_field');
$login->setDbInitStr();
$login->setTableName('tablename');
$login->AuthUser();
# the rest of your 'protected' code here....
The above example
is pretty straight forward... $login = new HttpAuthPlus; // create a new instance of the HttpAuthPlus object
$login->setAuthEncrypt('crypt'); // set the authentication to 'crypt' or 'plain-text'
$login->setDbType('mysql'); // sets the type of database to use
$login->setDbHost('localhost'); // the hostname or IP of the database server
$login->setDbUser('username'); // the username for connecting to the server
$login->setDbPass('password'); // the password for connecting to the server
$login->setDbName('databasename'); // the name of the database to use
$login->setUsernameField('username_field'); // the name of the field that contains the username
$login->setPasswordField('password_field'); // the name of the field that contains the password
$login->setEmailField('email_field'); // the name of the field that contains the email address
$login->setDbInitStr(); // builds the DSN string; must be called after initializing the database variables
$login->setTableName('tablename'); // the name of the table that stores usernames,passwords,emails
$login->AuthUser(); // carries out the authentication against the database
# the rest of your 'protected' code here....
Refer to
Method
Documentation for further details and options for database authentication.
Authentication | Administration | Methods |
