PHP Authentication

Ben643 · 13 Jan 2009 at 01:27

Sorry about posting another PHP thread! It may be another one I'm crap at explaining too.

Right, I've got a working registration and login page but now I actually need to setup a "check" for each restricted page to see if the user is authenticated.

So far I've just got this included on each page I want to be restricted but I was hoping for a more elegant solution which I didn't have to remember to include each time:

PHP:

if(!isset($_SESSION['auth']) || $_SESSION['auth'] != 1){
	die("not authorised");
}

I've only got 3 pages which don't need authentication - they are /login, /register and the index /. I was thinking maybe it would be easier to deny access unless it's either of these 3 pages (or if the user isn't logged in).

Is this is an acceptable idea? and if so, would anyone be able to give me a hand implementing it?

I've now got everything going through a "singe point of entry" which should be an ideal place to do the check but I can't figure out the final part of actually checking which page the user is viewing.

Any help would be appreciated.

philjohn · 13 Jan 2009 at 10:12

You're not going to like this, but here you go. The best way of having tasks like this pretty much automated is to use a framework. Our internal company framework makes stuff like this a breeze - the controller for each page simply inherits from a base controller for that section of the site (we call them circuits) which contains all the gubbins to make sure the user has a valid session and also that they have access to the requested page (Access Control Lists or ACL's).

If this is an old legacy site then that won't be possible and you'll just have to put that code into a utility library and include it on each page.

If you are just starting out with PHP I'd really recommend going the framework route - it will save you a lot of trouble (i.e. learning bad habits).

Ben643 · 14 Jan 2009 at 13:02

Thanks for the reply. Yeah I'll definitely be using a framework for my next project, I've heard really good things about them. Unfortunately this was a project I'm working on at uni and I'd already done quite a bit by the time I'd heard how brilliant frameworks are.

I've been using the MVC design patten though, so I do have a base controller which everything inherits from.

I managed to get it working by putting this in my single point of entry page... not sure if it's "good practice" but it seems to be working fine so far.

auth.txt

Basically if they haven't logged in and got a session set up and if it's not one of the pages in the array, deny access.

Bes · 15 Jan 2009 at 13:11

philjohn said:
You're not going to like this, but here you go. The best way of having tasks like this pretty much automated is to use a framework. Our internal company framework makes stuff like this a breeze - the controller for each page simply inherits from a base controller for that section of the site (we call them circuits) which contains all the gubbins to make sure the user has a valid session and also that they have access to the requested page (Access Control Lists or ACL's).

If this is an old legacy site then that won't be possible and you'll just have to put that code into a utility library and include it on each page.

If you are just starting out with PHP I'd really recommend going the framework route - it will save you a lot of trouble (i.e. learning bad habits).

Can you reccommend a framework for this kind of thing please?

Ben643 · 15 Jan 2009 at 13:18

Bes said:
Can you reccommend a framework for this kind of thing please?

I've heard a lot of people recommending the Zend framework. It's widely used and support should be easy to find.

Really wish I'd known more about frameworks when I started this project though!

Inquisitor · 15 Jan 2009 at 13:18

Bes said:
Can you reccommend a framework for this kind of thing please?

http://kohanaphp.com/

You'll never look back :cool:

ringo747 · 15 Jan 2009 at 13:31

Inquisitor said:
http://kohanaphp.com/

You'll never look back

Is it worth using a framework even for a small static site or just for larger sites? I downloaded Kohana a while back after seeing all the threads where you mention it and it does seem a good touch although I am literally only put together about 3 pages using it. Would you use it even for knocking up a small site for someone?

Inquisitor · 15 Jan 2009 at 14:03

ringo747 said:
Is it worth using a framework even for a small static site or just for larger sites? I downloaded Kohana a while back after seeing all the threads where you mention it and it does seem a good touch although I am literally only put together about 3 pages using it. Would you use it even for knocking up a small site for someone?

I do pimp it quite a bit don't I

To answer your question, though, I'd probably use it for any small-medium or bigger project – roughly speaking, anything that involves database interaction.

If it's just a static site I wouldn't bother with a framework as you really wouldn't benefit from it. Just create a file per page and set up URL rewriting if you want clean URLs.

ringo747 · 15 Jan 2009 at 14:06

Thanks for that. Hopefully I will get a bit of a look at it soon. I want to write an admin section for my own site to make it more like a CMS so maybe that would be a good starter project. I did think you were getting paid for every mention of them!

Inquisitor · 15 Jan 2009 at 14:08

ringo747 said:
I did think you were getting paid for every mention of them!

I just like encouraging people to use it as it completely transformed the way I write PHP applications and made it so much easier and more enjoyable. I covet structure, simplicity, and maintainability above all else in the code I write, and Kohana provides that for me.

ringo747 · 15 Jan 2009 at 14:47

Will definitely have more of a play with it and any problems I'll know who to ask.

philjohn · 15 Jan 2009 at 18:47

Go for the framework with the biggest community of users, the best documentation and the best chances of finding work (if you want to make a career out of web development). That rules out Kahona - it's not a bad framework, it just doesn't have the large usage and corporate backing that something like the Zend Framework does.

Our company has developed its own framework (for various reasons) that does all of the MVC stuff, but we then reuse Zend Framework components that would be too costly/time consuming to do ourselves (Zend_Pdf, Zend_Search_Lucene etc).

Inquisitor · 15 Jan 2009 at 19:12

philjohn said:
Go for the framework with the biggest community of users, the best documentation and the best chances of finding work (if you want to make a career out of web development). That rules out Kahona - it's not a bad framework, it just doesn't have the large usage and corporate backing that something like the Zend Framework does.

Our company has developed its own framework (for various reasons) that does all of the MVC stuff, but we then reuse Zend Framework components that would be too costly/time consuming to do ourselves (Zend_Pdf, Zend_Search_Lucene etc).

I think it rather depends on what the intended application of the framework is. If you're just using it for personal projects, as I do, then I'd say it's more important to make a choice based on the framework's own merits than anything else, though the community and documentation are also important.

You also have to be careful to avoid over-engineering in frameworks, particularly if you only need the framework for small to medium projects.

Sic · 16 Jan 2009 at 16:53

Inquisitor, good man. I'm a Kohana obsessor, myself.

ringo747 · 16 Jan 2009 at 17:55

Sic said:
Inquisitor, good man. I'm a Kohana obsessor, myself.

Well if both Sic and Inquistor both say Kohana then it must be good!