Section 13.4. Using Auth_HTTP to Authenticate

13.4. Using Auth_HTTP to Authenticate

Similar to the way you use PEAR to improve and simplify database access, there's also a PEAR module called Auth_HTTP that streamlines the process of authenticating users against a database table. Because the code is prewritten, it reduces the risk that you'll make a mistake when authenticating users. You may notice that there's also a module called Auth. This module is similar to Auth_HTTP, except it displays the login screen using an HTML page instead of the pop-up authentication that Auth_HTTP uses.

As far as how it looks, the user can't tell that there is a difference between using the manually applied HTTP authentication dialogs that were previously used in this chapter and the Auth_HTTP module.

If you haven't already installed the Auth_HTTP module, you can do so by entering pear install Auth from the command line. But you must be logged in as root on a Unix host to do it. The pear install Auth command displays Example 13-17.

Example 13-17. pear install Auth output

 downloading Auth-1.2.3.tgz ... Starting to download Auth-1.2.3.tgz (24,040 bytes) ........done: 24,040 bytes Optional dependencies: package `File_Passwd' version >= 0.9.5 is recommended to utilize some features. package `Net_POP3' version >= 1.3 is recommended to utilize some features. package `MDB' is recommended to utilize some features. package `Auth_RADIUS' is recommended to utilize some features. package `File_SMBPasswd' is recommended to utilize some features. install ok: Auth 1.2.3 

If you follow the code in Example 13-17 with pear install Auth_HTTP, you'll get the output found in Example 13-18.

Example 13-18. pear install Auth_HTTP output

 downloading Auth_HTTP-2.1.6.tgz ... Starting to download Auth_HTTP-2.1.6.tgz (9,327 bytes) .....done: 9,327 bytes install ok: Auth_HTTP 2.1.6 

Now, Example 13-19 automates checking usernames and passwords against the database.

Example 13-19. Using Auth_HTTP to authenticate a user

 <?php // Using Auth_HTTP to limit access require_once('db_login.php'); require_once("Auth/HTTP.php"); // We use the same connection string as the pear DB functions $AuthOpts = array( 'dsn' => "mysql://$db_username:$db_password@$db_host/$db_database", 'table' => "users", // your table name 'usernamecol' => "username", // the table username column 'passwordcol' => "password", // the table password column 'cryptType' => "md5", // password encryption type ); $authenticate = new Auth_HTTP("DB", $AuthOpts); // Set the realm name $authenticate->setRealm('Member Area'); // Authentication failed error message $authenticate->setCancelText('<h2>Access Denied</h2>'); // Request authentication $authenticate->start(); // compare username and password to stored values if ($authenticate->getAuth()){ echo "Welcome back to our site ".$authenticate->username."."; } ?> 

What's happening here is that we include the Auth_HTTP code with a require_once line. The AuthOpts array contains the parameters that define how you connect to the database, which table contains user information, and the exact fields to be checked. These parameters are listed in Table 13-2.

Once you have the options set, use new to start a new authentication object. Reference the setRealm method to set the realm, start the authentication with start, and compare the results with getAuth. The method setRealm is used to set the name of the realm for HTTP authentication, and then it appears in the login box, which the browser displays.

Figure 13-12 shows the authentication dialog before entering the username and password.

Figure 13-12. We see our familiar authentication prompt before clicking OK

Once validated against the values in the database, we see the page in Figure 13-13.

Figure 13-13. Telling the user that she is logged in now

If you were to refresh this page, you wouldn't be prompted again for a username and password as long as your session stays active.

A second example retrieves more information from the users table if the username and password match, as shown in Example 13-20.

Example 13-20. Retrieving additional information for the user

 <?php // Example of Auth_HTTP the also returns additional information require_once('db_login.php'); require_once("Auth/HTTP.php"); // We use the same connection string as the pear DB functions $AuthOptions = array( 'dsn'=>"mysql://$db_username:$db_password@$db_host/$db_database", 'table'=>"users", // your table name 'usernamecol'=>"username", // the table username column 'passwordcol'=>"password", // the table password column 'cryptType'=>"md5", // password encryption type in your db 'db_fields'=>"*", // enabling fetch for other db columns ); $authenticate = new Auth_HTTP("DB", $AuthOptions); // Set the realm name $authenticate->setRealm('Member Area'); // Authentication failed error message $authenticate->setCancelText('<h2>Access Denied</h2>'); // Request authentication $authenticate->start(); // compare username and password to stored values if($authenticate->getAuth()){ echo "Welcome back to our site ".$authenticate->username.".<br />"; echo "Your full name is "; echo $authenticate->getAuthData('first_name'); echo " "; echo $authenticate->getAuthData('last_name')."."; } ?> 

Figure 13-14 shows that the first and last names were also stored in the database and can now be used without doing a separate query. Any columns that were part of the users table can be accessed with getAuthData as long as db_fields is set to retrieve them all with "*".

Figure 13-14. We can now display more information from the users table without a new query

As you can see, using this module reduces the amount of manual interaction that's necessary to log in users against a database. This saves you time, because you don't need to construct a database query anymore. To make life even simpler, you could place the code from the last example into a separate include file placed at the beginning of each script that has restricted access. If the user is already logged in, it doesn't display anything but instead prompts the user for a password if she isn't logged in. That way, all your pages are protected with the same chunk of code.

We're going to move on to something very important: security. As you know, hackers, benign and malicious, are everywhere. Keeping your site free of problems created by the malicious ones requires knowing a lot about security. There'll also be additional resources in the last chapter of the book for more security resources that are beyond the scope of this book. We've touched on security in many places so far, now we'll summarize what you've learned all in one place and introduce some advanced techniques to make your site as secure as possible. Regardless of whether your site contains sensitive customer data or just your favorite recipes, you still don't want to log in to find your data missing or altered.