On DevShed.com today they're continuing a series with part two of their look at user management - more specifically at the creation of a user management application for access control.
Any application that is security critical will have some kind of method to track and maintain user activity. In this article we will begin to build a user management system that will give us control over who has access to which part of our application.
The system's functionality will also provide authentication support (not just role management) and allows for user registration, "forgot my password" and password management. Code and database information for the ten files needed to make the system are included.
On DevShed there's a new tutorial looking at user management in a PHP application including looks at data validation and encrypting passwords.
In this article we will look at how to create a secure user management module. No user authentication or user management script can ever be one hundred percent secure, but we can try to use the tools that are available to us to their maximum, and thereby make it difficult for malicious users to hack our scripts.
They include example scripts showing how to validate user input - length, alpha, empty or not and if its numeric or not. They look at encryption with the sha1() technique, comparing the user's input, hashed, to the key already stored.
On the Solar blog there's a new post introducing you to a method for authenticating your users (of your Solar-based application) off of a MySQL database.
This entry is an extension to the current manual page for user authentication and is intended for folks who have already been through the basics of SolarPHP. What I hope to accomplish here is to show you how to setup user authentication using MySQL, something the manual currently does not elaborate upon.
He includes all of the bits you'll need to get it up and working - the code for the authentication, the configuration file setup, and the MySQL stable structure.
This recent post from the Mind Tree blog shares a few methods for testing your web application (not unit test, just general things).
Because the Web "environment" is so diverse and contains so many forms of programmatic content, input validation and sanity checking is the key to Web applications security. This involves both identifying and enforcing the valid domain of every user-definable data element, as well as a sufficient understanding of the source of all data elements to determine what is potentially user definable.
They note that the root of most problems is input validation - most applications either just don't do it or do it poorly. They include a few tips on first security the environment the application is running in (like checking the HEAD/OPTIONS values and ensuring you're only allowing known file extensions and directories). They also mention the insecurity behind HIDDEN form elements and some issues surrounding user authentication.
He talks about how several topics are used in his Redux library including hashing, salts, a method for getting/resetting a forgotten password and how to use database sessions to manage users logged in.
The Redux Authentication System is a "great CodeIgniter Auth library. It's light, easy to use and fully featured. It's a great choice for your new or existing project due to the power it gives to the developer".
In a new entry to his blog, Jonathan Street talks about a new wrapper class he's built up around the Windows Live Contacts service.
It was a shame really as it was a really exciting project with Microsoft leading the way in the area. It's been only recently that Google and Yahoo have caught up and released their own APIs for accessing their users data. [...] With the possibility of actually using the code myself creeping up on the horizon I decided to put the time in to write wrappers for PHP. It can be broken down into two components.
These two components are the delegated authentication, used to get permission from the user to grab the data, and the actual interface to the Windows Live Contacts data. Both packages have been submitted to PEAR.
Padraic Brady has gone back to a previous project, working with OAuth, and some thoughts on it and its possible implementation in both the Zend Framework and PEAR.
Starting yesterday, I opened up my IDE, updated PHPUnit, and got cracking. At the current rate of development a Consumer is likely at the weekend. I've already started writing up a formal proposal for PEAR and, of course, the Zend Framework also. I'm thankful the OAuth specification is this simple - it's one of the easiest to read specifications I've had to pleasure to work with.
He notes that an update to the API's Core (from 1.0 to 1.1) might be on the horizon, but can't see it affecting extensions/packages that much. He also mentions Extensions - not PHP extensions, these are augmentations to the OAuth core that allow for other different functionality to be included (like Discovery).
In a new entry on his blog today, Matthew looks to answer and help those once and for all wondering how to handle user authentication and persistence in their Zend Framework applications.
The typical issue is that they're unsure how to combine: an authentication adapter, a login form, a controller for login/logout actions and checking for an authenticated user in subsequent requests. It's not terribly difficult, but it does require knowing how the various pieces of the MVC fit together, and how to use Zend_Auth. Let's take a look.
He gives the complete code for a loin controller to cover most of that functionality and an example showing how to check for and keep track of which users have been authenticated.
Jonathan Snook has posted a helpful trick for CakePHP users out there looking to secure sections of their site away from "normal users" and keep it only in the hands of the admins.
I just wanted to document this for easy future reference but if you don't want to hook up a complex user adminstration with authorization components, you can simply specify that the admin path be password protected in either your .htaccess file or in your httpd.conf.
This method is actually one of the built-in methods Apache has for restricting access (http authentication) that he's placed on his "/admin" directory. Call htpasswd to create the password file and you're all set to go.
