Thread: HTTP authentication
Hi all! I've read about http authentication with PHP in the PHP manual. Now I wonder how I can make a logout button in the way its supposed to be done? The manual mentions something about the headersbut that this way does not work correct on all browsers... Furthermore I wonder how secure this way is? Tia
It matters. There are about a dozen ways to do authentication. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Christian Marschalek" <cm@chello.at> To: <pgsql-php@postgresql.org> Sent: Thursday, April 26, 2001 12:45 PM Subject: [PHP] HTTP authentication > Hi all! > > I've read about http authentication with PHP in the PHP manual. > > Now I wonder how I can make a logout button in the way its supposed to be done? The manual mentions something about the headers but that this way does not work correct on all browsers... > > Furthermore I wonder how secure this way is? > > Tia > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
Are you doing authentication using sessions? Are you using timestamps in a database? Are you using http-auth? etc. There are several ways to do authentication and if you want to do a "logout" button, the code would need to clear whatever is holding references to that login... hence you need to say how you are doing authentication so you know what needs to be cleaned up with a log out code. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Christian Marschalek" <cm@chello.at> To: "'Adam Lang'" <aalang@rutgersinsurance.com> Sent: Thursday, April 26, 2001 3:03 PM Subject: RE: [PHP] HTTP authentication > Can't see how this answers my questions :o) > > What matters? > > How would you do it? > > Thanks for your time, Chris > > > -----Original Message----- > > From: pgsql-php-owner@postgresql.org > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > > Sent: Thursday, April 26, 2001 8:42 PM > > To: pgsql-php@postgresql.org > > Subject: Re: [PHP] HTTP authentication > > > > > > It matters. There are about a dozen ways to do authentication. > > > > Adam Lang > > Systems Engineer > > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > > ----- Original Message ----- > > From: "Christian Marschalek" <cm@chello.at> > > To: <pgsql-php@postgresql.org> > > Sent: Thursday, April 26, 2001 12:45 PM > > Subject: [PHP] HTTP authentication > > > > > > > Hi all! > > > > > > I've read about http authentication with PHP in the PHP manual. > > > > > > Now I wonder how I can make a logout button in the way its > > supposed to > > > be > > done? The manual mentions something about the headers but > > that this way does not work correct on all browsers... > > > > > > Furthermore I wonder how secure this way is? > > > > > > Tia > > > > > > > > > ---------------------------(end of > > > broadcast)--------------------------- > > > TIP 2: you can get off all lists at once with the unregister command > > > (send "unregister YourEmailAddressHere" to > > majordomo@postgresql.org) > > > > > > ---------------------------(end of > > broadcast)--------------------------- > > TIP 4: Don't 'kill -9' the postmaster > >
I guess simple HTTP authentication where I get the username and pass and check it with the database... Maybe encrypting. What would you recommend? I haven't done something like that before. It's my first project which needs authentication! Don't have a clue:) > -----Original Message----- > From: pgsql-php-owner@postgresql.org > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > Sent: Thursday, April 26, 2001 9:10 PM > To: pgsql-php@postgresql.org > Subject: Re: [PHP] HTTP authentication > > > Are you doing authentication using sessions? Are you using > timestamps in a database? Are you using http-auth? etc. > > There are several ways to do authentication and if you want > to do a "logout" button, the code would need to clear > whatever is holding references to that login... hence you > need to say how you are doing authentication so you know what > needs to be cleaned up with a log out code. > > Adam Lang > Systems Engineer > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > ----- Original Message ----- > From: "Christian Marschalek" <cm@chello.at> > To: "'Adam Lang'" <aalang@rutgersinsurance.com> > Sent: Thursday, April 26, 2001 3:03 PM > Subject: RE: [PHP] HTTP authentication > > > > Can't see how this answers my questions :o) > > > > What matters? > > > > How would you do it? > > > > Thanks for your time, Chris > > > > > -----Original Message----- > > > From: pgsql-php-owner@postgresql.org > > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > > > Sent: Thursday, April 26, 2001 8:42 PM > > > To: pgsql-php@postgresql.org > > > Subject: Re: [PHP] HTTP authentication > > > > > > > > > It matters. There are about a dozen ways to do authentication. > > > > > > Adam Lang > > > Systems Engineer > > > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > > > ----- Original Message ----- > > > From: "Christian Marschalek" <cm@chello.at> > > > To: <pgsql-php@postgresql.org> > > > Sent: Thursday, April 26, 2001 12:45 PM > > > Subject: [PHP] HTTP authentication > > > > > > > > > > Hi all! > > > > > > > > I've read about http authentication with PHP in the PHP manual. > > > > > > > > Now I wonder how I can make a logout button in the way its > > > supposed to > > > > be > > > done? The manual mentions something about the headers but > that this > > > way does not work correct on all browsers... > > > > > > > > Furthermore I wonder how secure this way is? > > > > > > > > Tia > > > > > > > > > > > > ---------------------------(end of > > > > broadcast)--------------------------- > > > > TIP 2: you can get off all lists at once with the > unregister command > > > > (send "unregister YourEmailAddressHere" to > > > majordomo@postgresql.org) > > > > > > > > > ---------------------------(end of > > > broadcast)--------------------------- > > > TIP 4: Don't 'kill -9' the postmaster > > > > > > ---------------------------(end of > broadcast)--------------------------- > TIP 6: Have you searched our list archives? > http://www.postgresql.org/search.mpl ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
The way i do it is have a separate table in the database that keeps track of users and passwords for the application. I use the WWW-Authenticate header to get $PHP_AUTH_USER and $PHP_AUTH_PW I run them through the table using a select query. If I come back with a match, I set a variable, $auth, equal to true. If $auth is equal to true, they can perform whatever functions in the page I have. I don't have a log out button, but all I would probably do would be set $auth = false and unset the $PHP... variables. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Christian Marschalek" <cm@chello.at> To: "'Adam Lang'" <aalang@rutgersinsurance.com> Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> Sent: Friday, April 27, 2001 11:43 AM Subject: RE: [PHP] HTTP authentication > I guess simple HTTP authentication where I get the username and pass and > check it with the database... Maybe encrypting. > > What would you recommend? I haven't done something like that before. > It's my first project which needs authentication! > > Don't have a clue:) > > > -----Original Message----- > > From: pgsql-php-owner@postgresql.org > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > > Sent: Thursday, April 26, 2001 9:10 PM > > To: pgsql-php@postgresql.org > > Subject: Re: [PHP] HTTP authentication > > > > > > Are you doing authentication using sessions? Are you using > > timestamps in a database? Are you using http-auth? etc. > > > > There are several ways to do authentication and if you want > > to do a "logout" button, the code would need to clear > > whatever is holding references to that login... hence you > > need to say how you are doing authentication so you know what > > needs to be cleaned up with a log out code. > > > > Adam Lang > > Systems Engineer > > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > > ----- Original Message ----- > > From: "Christian Marschalek" <cm@chello.at> > > To: "'Adam Lang'" <aalang@rutgersinsurance.com> > > Sent: Thursday, April 26, 2001 3:03 PM > > Subject: RE: [PHP] HTTP authentication > > > > > > > Can't see how this answers my questions :o) > > > > > > What matters? > > > > > > How would you do it? > > > > > > Thanks for your time, Chris > > > > > > > -----Original Message----- > > > > From: pgsql-php-owner@postgresql.org > > > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > > > > Sent: Thursday, April 26, 2001 8:42 PM > > > > To: pgsql-php@postgresql.org > > > > Subject: Re: [PHP] HTTP authentication > > > > > > > > > > > > It matters. There are about a dozen ways to do authentication. > > > > > > > > Adam Lang > > > > Systems Engineer > > > > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > > > > ----- Original Message ----- > > > > From: "Christian Marschalek" <cm@chello.at> > > > > To: <pgsql-php@postgresql.org> > > > > Sent: Thursday, April 26, 2001 12:45 PM > > > > Subject: [PHP] HTTP authentication > > > > > > > > > > > > > Hi all! > > > > > > > > > > I've read about http authentication with PHP in the PHP manual. > > > > > > > > > > Now I wonder how I can make a logout button in the way its > > > > supposed to > > > > > be > > > > done? The manual mentions something about the headers but > > that this > > > > way does not work correct on all browsers... > > > > > > > > > > Furthermore I wonder how secure this way is? > > > > > > > > > > Tia > > > > > > > > > > > > > > > ---------------------------(end of > > > > > broadcast)--------------------------- > > > > > TIP 2: you can get off all lists at once with the > > unregister command > > > > > (send "unregister YourEmailAddressHere" to > > > > majordomo@postgresql.org) > > > > > > > > > > > > ---------------------------(end of > > > > broadcast)--------------------------- > > > > TIP 4: Don't 'kill -9' the postmaster > > > > > > > > > > ---------------------------(end of > > broadcast)--------------------------- > > TIP 6: Have you searched our list archives? > > > http://www.postgresql.org/search.mpl ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
This is all good but needs to be dealing with the password as a hash/digest not the real clear text password. I would use SHA1 (SHA-160) or MD5. Jason k Larson Web Developer++ AL> The way i do it is have a separate table in the database that keeps track of AL> users and passwords for the application. AL> I use the WWW-Authenticate header to get $PHP_AUTH_USER and $PHP_AUTH_PW AL> I run them through the table using a select query. If I come back with a AL> match, I set a variable, $auth, equal to true. AL> If $auth is equal to true, they can perform whatever functions in the page I AL> have. AL> I don't have a log out button, but all I would probably do would be set AL> $auth = false and unset the $PHP... variables. AL> Adam Lang AL> Systems Engineer AL> Rutgers Casualty Insurance Company AL> http://www.rutgersinsurance.com AL> ----- Original Message ----- AL> From: "Christian Marschalek" <cm@chello.at> AL> To: "'Adam Lang'" <aalang@rutgersinsurance.com> AL> Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> AL> Sent: Friday, April 27, 2001 11:43 AM AL> Subject: RE: [PHP] HTTP authentication
I have written a library to handle this. It is fairly secure not allowing the password to be seen except as an MD5 digest. The only requirement is being able to deal with the MD5 digest. For instance I have a PgSQL Table with fields User ID, Username, Password, and Status. I give each User and unique ID and the Password field contains and MD5 digest of the password and I use status (boolean) to tell me if the user is active or not. If you are interested I could send you my library .. it's pretty basic. Jason k Larson Web Developer++ CM> I guess simple HTTP authentication where I get the username and pass and CM> check it with the database... Maybe encrypting. CM> What would you recommend? I haven't done something like that before. CM> It's my first project which needs authentication! CM> Don't have a clue:)
You are correct. I was keeping it simple since his original question was merely on the "logout" button. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Jason k Larson" <jlarson@harrison.org> To: "PgSQL-PHP" <pgsql-php@postgresql.org> Sent: Friday, April 27, 2001 2:46 PM Subject: Re: [PHP] HTTP authentication > This is all good but needs to be dealing with the password as a > hash/digest not the real clear text password. I would use SHA1 > (SHA-160) or MD5. > > Jason k Larson > Web Developer++ > > > AL> The way i do it is have a separate table in the database that keeps track of > AL> users and passwords for the application. > > AL> I use the WWW-Authenticate header to get $PHP_AUTH_USER and $PHP_AUTH_PW > > AL> I run them through the table using a select query. If I come back with a > AL> match, I set a variable, $auth, equal to true. > > AL> If $auth is equal to true, they can perform whatever functions in the page I > AL> have. > > AL> I don't have a log out button, but all I would probably do would be set > AL> $auth = false and unset the $PHP... variables. > > AL> Adam Lang > AL> Systems Engineer > AL> Rutgers Casualty Insurance Company > AL> http://www.rutgersinsurance.com > AL> ----- Original Message ----- > AL> From: "Christian Marschalek" <cm@chello.at> > AL> To: "'Adam Lang'" <aalang@rutgersinsurance.com> > AL> Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> > AL> Sent: Friday, April 27, 2001 11:43 AM > AL> Subject: RE: [PHP] HTTP authentication > > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly
> -----Original Message----- > From: Andrew Hammond [mailto:drew@waugh.econ.queensu.ca] > Sent: Friday, April 27, 2001 8:21 PM > To: Christian Marschalek > Subject: Re: [PHP] HTTP authentication > > If you need _serious_ security, then you need to start > thinking about using SSL and x.509 certificates. I don't think the project needs to be THAT secure. But anyway, the SSL stuff only secures my connection. I'd still need a way to control access to my system, wouldn't I? > Otherwise, you can reasonably use > either the http auth stuff, which is probably the best approach, > especially for a site that's got any kind of heavy usage or > something based on PHP sessions. However be forewarned that > the sessions stuff isn't exactly the most efficient and fast. (either?:) Well PHP auth and sessions is probably the right aproach. Which one would be more efficient or faster? Thanks and greetings Chris ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
> You are correct. I was keeping it simple since his original > question was merely on the "logout" button. Well I want to learn the most I can :o) The problem with the logout and the HTTP stuff is that the browser keeps the auth. Information in the cache, so you'll need a way to tell the browser to reask the user for his login data. ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
Hello,
my question is related to just PHP not postgres, but I hope you'll be so kind to help me.
So, how can I call an inherited method which is overriden in the derived class?
a short exmple - if my explanation is not so clear to unterstand:
class A {
var $x;
function A() { $this->x = 0; }
function f1($x) { $this->x = ++$x; }
}
class B extends A
{
function B() {$this->x = 1; }
function f1($x)
{
# now I want to access the original f1() function, ie .:
// $this->f1($x*4);
# and perform some additional operations ie.:
// $this->x *= 2;
}
}
Is there any possilbe work-around
or I have to duplicate the code of the inherited function,
or leave functions the same and create new functions which calls the inherited ones?
On Fri, Apr 27, 2001 at 10:54:21PM +0200, Christian Marschalek wrote:
> > Otherwise, you can reasonably use
> > either the http auth stuff, which is probably the best approach,
> > especially for a site that's got any kind of heavy usage or
> > something based on PHP sessions. However be forewarned that
> > the sessions stuff isn't exactly the most efficient and fast.
What's the problem with sessions? Are they slow? I don't see why since
it just grabs the cookie from the browser and reads the appropriate file
from the sessions directory.
> Well PHP auth and sessions is probably the right aproach. Which one
> would be more efficient or faster?
I just wrote an auth library that uses sessions and stores passwords
encrypted in the database. I am fairly new to PHP (tho experienced in
other web devel technologies) so it might need improvements, but it works
very well for me.
-Roberto
--
+----| http://fslc.usu.edu USU Free Software & GNU/Linux Club |------+
Roberto Mello - Computer Science, USU - http://www.brasileiro.net
http://www.sdl.usu.edu - Space Dynamics Lab, Developer
let length(Long_Walk) > length(Short_Pier)
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://www.postgresql.org/search.mpl
> I just wrote an auth library that uses sessions and
> stores passwords encrypted in the database. I am fairly new
> to PHP (tho experienced in other web devel technologies) so
> it might need improvements, but it works very well for me.
I'm fairly new to PHP myself but I have like 4 years expirience with C
and C++. I would check out if your library can be improved if you want
me to.
But for my project I'll use sessions without cookies because I can't
rely on the users having the feature turned on in their browsers.
Greets
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
I hope you'll forgive me for doing this question here. Somebody could tell me why it is not posible to put a create user sentence inside a transaction block? Saludos, jesus.
I think it is not posible to call an override method. The OO in PHP is far
from being complete.
I hope my answer will be incorrect :-)
Saludos, jesus.
On Sat, 28 Apr 2001, Gyozo Papp wrote:
> Hello,
>
> my question is related to just PHP not postgres, but I hope you'll be so kind to help me.
> So, how can I call an inherited method which is overriden in the derived class?
> a short exmple - if my explanation is not so clear to unterstand:
>
> class A {
> var $x;
> function A() { $this->x = 0; }
> function f1($x) { $this->x = ++$x; }
> }
>
> class B extends A
> {
> function B() {$this->x = 1; }
>
> function f1($x)
> {
> # now I want to access the original f1() function, ie .:
> // $this->f1($x*4);
> # and perform some additional operations ie.:
> // $this->x *= 2;
> }
> }
>
> Is there any possilbe work-around
> or I have to duplicate the code of the inherited function,
> or leave functions the same and create new functions which calls the inherited ones?
>
>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
On Sat, Apr 28, 2001 at 07:44:43PM +0200, Christian Marschalek wrote:
>
> I'm fairly new to PHP myself but I have like 4 years expirience with C
> and C++. I would check out if your library can be improved if you want
> me to.
>
> But for my project I'll use sessions without cookies because I can't
> rely on the users having the feature turned on in their browsers.
My library should be ok with cookies turned off since it's managed
through PHP4 sessions, which can use server-side or client-side cookies.
Let me finish my finals (next week) and refine it a little bit, then
I'll post it somewhere on my website and let the list know.
I also made yet another DB abstraction layer for PHP, modeled after
AOLserver's excellent DB layer. I was using PEAR bet everytime I accessed
a page using PEAR I had time to go buy a pizza and come back before the
query was done, so I decided to write my own.
-Roberto
--
+----| http://fslc.usu.edu USU Free Software & GNU/Linux Club |------+
Roberto Mello - Computer Science, USU - http://www.brasileiro.net
http://www.sdl.usu.edu - Space Dynamics Lab, Developer
A little inaccuracy sometimes saves tons of explanation. -- H. H. Munroe
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
I know you can do a few simple things like determine if it's a subclass and get the parent classes name, etc. Here's where I found some info. http://www.php.net/manual/en/ref.classobj.php Maybe this will help .. maybe it won't. Jason k Larson <?echo(join(" ",split("[.]",base64_decode(strrev("=8iKuIXZrNWYI5CUIBlLyVGa09mbB5CdzVnSuoyL")))));?> GP> Hello, GP> my question is related to just PHP not postgres, but I hope you'll be so kind to help me. GP> So, how can I call an inherited method which is overriden in the derived class? GP> a short exmple - if my explanation is not so clear to unterstand: GP> class A { GP> var $x; GP> function A() { $this->x = 0; } GP> function f1($x) { $this->x = ++$x; } GP> } GP> class B extends A GP> { GP> function B() {$this->x = 1; } GP> function f1($x) GP> { GP> # now I want to access the original f1() function, ie .: GP> // $this->f1($x*4); GP> # and perform some additional operations ie.: GP> // $this->x *= 2; GP> } GP> } GP> Is there any possilbe work-around GP> or I have to duplicate the code of the inherited function, GP> or leave functions the same and create new functions which calls the inherited ones? GP> ---------------------------(end of broadcast)--------------------------- GP> TIP 5: Have you checked our extensive FAQ? GP> http://www.postgresql.org/users-lounge/docs/faq.html
First, thank all of you for your guess & tips.
It wouldn't be so weird to find the right answer if I was thinking about the similarity of PHP and C++ syntax.
and one more pleasure, function overriding is enable and working correctly and all the functions are virtual! OO
supportof PHP is great! (except multiple inheritance)
So I 've got the answer, look:
class A {
// you've already known it!
}
class B extends A
{
function f1($x)
{
A::f1($x*4); // ancestor class name double colon as the same in C++
$this->x *= 2;
}
}
I guess simple HTTP authentication where I get the username and pass and check it with the database... Maybe encrypting. What would you recommend? I haven't done something like that before. It's my first project which needs authentication! Don't have a clue:) > -----Original Message----- > From: pgsql-php-owner@postgresql.org > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > Sent: Thursday, April 26, 2001 9:10 PM > To: pgsql-php@postgresql.org > Subject: Re: [PHP] HTTP authentication > > > Are you doing authentication using sessions? Are you using > timestamps in a database? Are you using http-auth? etc. > > There are several ways to do authentication and if you want > to do a "logout" button, the code would need to clear > whatever is holding references to that login... hence you > need to say how you are doing authentication so you know what > needs to be cleaned up with a log out code. > > Adam Lang > Systems Engineer > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > ----- Original Message ----- > From: "Christian Marschalek" <cm@chello.at> > To: "'Adam Lang'" <aalang@rutgersinsurance.com> > Sent: Thursday, April 26, 2001 3:03 PM > Subject: RE: [PHP] HTTP authentication > > > > Can't see how this answers my questions :o) > > > > What matters? > > > > How would you do it? > > > > Thanks for your time, Chris > > > > > -----Original Message----- > > > From: pgsql-php-owner@postgresql.org > > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > > > Sent: Thursday, April 26, 2001 8:42 PM > > > To: pgsql-php@postgresql.org > > > Subject: Re: [PHP] HTTP authentication > > > > > > > > > It matters. There are about a dozen ways to do authentication. > > > > > > Adam Lang > > > Systems Engineer > > > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > > > ----- Original Message ----- > > > From: "Christian Marschalek" <cm@chello.at> > > > To: <pgsql-php@postgresql.org> > > > Sent: Thursday, April 26, 2001 12:45 PM > > > Subject: [PHP] HTTP authentication > > > > > > > > > > Hi all! > > > > > > > > I've read about http authentication with PHP in the PHP manual. > > > > > > > > Now I wonder how I can make a logout button in the way its > > > supposed to > > > > be > > > done? The manual mentions something about the headers but > that this > > > way does not work correct on all browsers... > > > > > > > > Furthermore I wonder how secure this way is? > > > > > > > > Tia > > > > > > > > > > > > ---------------------------(end of > > > > broadcast)--------------------------- > > > > TIP 2: you can get off all lists at once with the > unregister command > > > > (send "unregister YourEmailAddressHere" to > > > majordomo@postgresql.org) > > > > > > > > > ---------------------------(end of > > > broadcast)--------------------------- > > > TIP 4: Don't 'kill -9' the postmaster > > > > > > ---------------------------(end of > broadcast)--------------------------- > TIP 6: Have you searched our list archives? > http://www.postgresql.org/search.mpl ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
On Sat, Apr 28, 2001 at 07:44:43PM +0200, Christian Marschalek wrote:
>
> I'm fairly new to PHP myself but I have like 4 years expirience with C
> and C++. I would check out if your library can be improved if you want
> me to.
>
> But for my project I'll use sessions without cookies because I can't
> rely on the users having the feature turned on in their browsers.
My library should be ok with cookies turned off since it's managed
through PHP4 sessions, which can use server-side or client-side cookies.
Let me finish my finals (next week) and refine it a little bit, then
I'll post it somewhere on my website and let the list know.
I also made yet another DB abstraction layer for PHP, modeled after
AOLserver's excellent DB layer. I was using PEAR bet everytime I accessed
a page using PEAR I had time to go buy a pizza and come back before the
query was done, so I decided to write my own.
-Roberto
--
+----| http://fslc.usu.edu USU Free Software & GNU/Linux Club |------+
Roberto Mello - Computer Science, USU - http://www.brasileiro.net
http://www.sdl.usu.edu - Space Dynamics Lab, Developer
A little inaccuracy sometimes saves tons of explanation. -- H. H. Munroe
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
> From: Jason k Larson [mailto:jlarson@harrison.org]
>
> I have written a library to handle this. It is fairly secure
> not allowing the password to be seen except as an MD5 digest.
> The only requirement is being able to deal with the MD5
> digest. For instance I have a PgSQL Table with fields User
> ID, Username, Password, and Status. I give each User and
> unique ID and the Password field contains and MD5 digest of
> the password and I use status (boolean) to tell me if the
> user is active or not.
What exactly is a MD5 diggest? :o)
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
> You are correct. I was keeping it simple since his original > question was merely on the "logout" button. Well I want to learn the most I can :o) The problem with the logout and the HTTP stuff is that the browser keeps the auth. Information in the cache, so you'll need a way to tell the browser to reask the user for his login data. ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
I think it is not posible to call an override method. The OO in PHP is far
from being complete.
I hope my answer will be incorrect :-)
Saludos, jesus.
On Sat, 28 Apr 2001, Gyozo Papp wrote:
> Hello,
>
> my question is related to just PHP not postgres, but I hope you'll be so kind to help me.
> So, how can I call an inherited method which is overriden in the derived class?
> a short exmple - if my explanation is not so clear to unterstand:
>
> class A {
> var $x;
> function A() { $this->x = 0; }
> function f1($x) { $this->x = ++$x; }
> }
>
> class B extends A
> {
> function B() {$this->x = 1; }
>
> function f1($x)
> {
> # now I want to access the original f1() function, ie .:
> // $this->f1($x*4);
> # and perform some additional operations ie.:
> // $this->x *= 2;
> }
> }
>
> Is there any possilbe work-around
> or I have to duplicate the code of the inherited function,
> or leave functions the same and create new functions which calls the inherited ones?
>
>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
> -----Original Message----- > From: Andrew Hammond [mailto:drew@waugh.econ.queensu.ca] > Sent: Friday, April 27, 2001 8:21 PM > To: Christian Marschalek > Subject: Re: [PHP] HTTP authentication > > If you need _serious_ security, then you need to start > thinking about using SSL and x.509 certificates. I don't think the project needs to be THAT secure. But anyway, the SSL stuff only secures my connection. I'd still need a way to control access to my system, wouldn't I? > Otherwise, you can reasonably use > either the http auth stuff, which is probably the best approach, > especially for a site that's got any kind of heavy usage or > something based on PHP sessions. However be forewarned that > the sessions stuff isn't exactly the most efficient and fast. (either?:) Well PHP auth and sessions is probably the right aproach. Which one would be more efficient or faster? Thanks and greetings Chris ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
On Fri, Apr 27, 2001 at 10:54:21PM +0200, Christian Marschalek wrote:
> > Otherwise, you can reasonably use
> > either the http auth stuff, which is probably the best approach,
> > especially for a site that's got any kind of heavy usage or
> > something based on PHP sessions. However be forewarned that
> > the sessions stuff isn't exactly the most efficient and fast.
What's the problem with sessions? Are they slow? I don't see why since
it just grabs the cookie from the browser and reads the appropriate file
from the sessions directory.
> Well PHP auth and sessions is probably the right aproach. Which one
> would be more efficient or faster?
I just wrote an auth library that uses sessions and stores passwords
encrypted in the database. I am fairly new to PHP (tho experienced in
other web devel technologies) so it might need improvements, but it works
very well for me.
-Roberto
--
+----| http://fslc.usu.edu USU Free Software & GNU/Linux Club |------+
Roberto Mello - Computer Science, USU - http://www.brasileiro.net
http://www.sdl.usu.edu - Space Dynamics Lab, Developer
let length(Long_Walk) > length(Short_Pier)
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://www.postgresql.org/search.mpl
> I just wrote an auth library that uses sessions and
> stores passwords encrypted in the database. I am fairly new
> to PHP (tho experienced in other web devel technologies) so
> it might need improvements, but it works very well for me.
I'm fairly new to PHP myself but I have like 4 years expirience with C
and C++. I would check out if your library can be improved if you want
me to.
But for my project I'll use sessions without cookies because I can't
rely on the users having the feature turned on in their browsers.
Greets
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
The way i do it is have a separate table in the database that keeps track of users and passwords for the application. I use the WWW-Authenticate header to get $PHP_AUTH_USER and $PHP_AUTH_PW I run them through the table using a select query. If I come back with a match, I set a variable, $auth, equal to true. If $auth is equal to true, they can perform whatever functions in the page I have. I don't have a log out button, but all I would probably do would be set $auth = false and unset the $PHP... variables. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Christian Marschalek" <cm@chello.at> To: "'Adam Lang'" <aalang@rutgersinsurance.com> Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> Sent: Friday, April 27, 2001 11:43 AM Subject: RE: [PHP] HTTP authentication > I guess simple HTTP authentication where I get the username and pass and > check it with the database... Maybe encrypting. > > What would you recommend? I haven't done something like that before. > It's my first project which needs authentication! > > Don't have a clue:) > > > -----Original Message----- > > From: pgsql-php-owner@postgresql.org > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > > Sent: Thursday, April 26, 2001 9:10 PM > > To: pgsql-php@postgresql.org > > Subject: Re: [PHP] HTTP authentication > > > > > > Are you doing authentication using sessions? Are you using > > timestamps in a database? Are you using http-auth? etc. > > > > There are several ways to do authentication and if you want > > to do a "logout" button, the code would need to clear > > whatever is holding references to that login... hence you > > need to say how you are doing authentication so you know what > > needs to be cleaned up with a log out code. > > > > Adam Lang > > Systems Engineer > > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > > ----- Original Message ----- > > From: "Christian Marschalek" <cm@chello.at> > > To: "'Adam Lang'" <aalang@rutgersinsurance.com> > > Sent: Thursday, April 26, 2001 3:03 PM > > Subject: RE: [PHP] HTTP authentication > > > > > > > Can't see how this answers my questions :o) > > > > > > What matters? > > > > > > How would you do it? > > > > > > Thanks for your time, Chris > > > > > > > -----Original Message----- > > > > From: pgsql-php-owner@postgresql.org > > > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Adam Lang > > > > Sent: Thursday, April 26, 2001 8:42 PM > > > > To: pgsql-php@postgresql.org > > > > Subject: Re: [PHP] HTTP authentication > > > > > > > > > > > > It matters. There are about a dozen ways to do authentication. > > > > > > > > Adam Lang > > > > Systems Engineer > > > > Rutgers Casualty Insurance Company http://www.rutgersinsurance.com > > > > ----- Original Message ----- > > > > From: "Christian Marschalek" <cm@chello.at> > > > > To: <pgsql-php@postgresql.org> > > > > Sent: Thursday, April 26, 2001 12:45 PM > > > > Subject: [PHP] HTTP authentication > > > > > > > > > > > > > Hi all! > > > > > > > > > > I've read about http authentication with PHP in the PHP manual. > > > > > > > > > > Now I wonder how I can make a logout button in the way its > > > > supposed to > > > > > be > > > > done? The manual mentions something about the headers but > > that this > > > > way does not work correct on all browsers... > > > > > > > > > > Furthermore I wonder how secure this way is? > > > > > > > > > > Tia > > > > > > > > > > > > > > > ---------------------------(end of > > > > > broadcast)--------------------------- > > > > > TIP 2: you can get off all lists at once with the > > unregister command > > > > > (send "unregister YourEmailAddressHere" to > > > > majordomo@postgresql.org) > > > > > > > > > > > > ---------------------------(end of > > > > broadcast)--------------------------- > > > > TIP 4: Don't 'kill -9' the postmaster > > > > > > > > > > ---------------------------(end of > > broadcast)--------------------------- > > TIP 6: Have you searched our list archives? > > > http://www.postgresql.org/search.mpl ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
On Sun, 2001-04-29 at 05:44, Christian Marschalek wrote:
> > I just wrote an auth library that uses sessions and
> > stores passwords encrypted in the database. I am fairly new
> > to PHP (tho experienced in other web devel technologies) so
> > it might need improvements, but it works very well for me.
>
> I'm fairly new to PHP myself but I have like 4 years expirience with C
> and C++. I would check out if your library can be improved if you want
> me to.
>
> But for my project I'll use sessions without cookies because I can't
> rely on the users having the feature turned on in their browsers.
Don't forget that there are serious flaws in the URL rewriting approach
as well which are not present in the cookie approach :-(
Our company recently implemented a site where one of the more
egotistical coders was militantly anti-cookie and as a result we ended
up with URL rewriting (auth was not an option in this case).
As a result we ended up with people e-mailing (rewritten) URL's to
friends, or pasted (rewritten) URL's into ad serversand so forth. A few
days after we went live we had one session that was receiving a
substantial part of the traffic, and that session was saving user data
which was mutating in interesting ways.
On top of that, we finally ended up implementing cookies because it
turned out we needed more persistence of data than URL rewriting can
offer. The session code is _still_ crapola IMNSHO because it uses the
rewriting by preference, rather than treating the cookie as 'best'.
The PHP session code gets this _right_ by preferring cookies and falling
back to URL rewriting _if_it_has_to_ for those reasons.
Sure, cookies are some sort of security problem, but so are bookmarks
and history, not to mention page caches! If you wouldn't put it in a
URL, then don't put it in a cookie, by all means, but it is debatable
(and configurable) which hangs around on a users hard disk for the
longest. I know my browser history (i.e. URL coded information) is
currently set for three months, but if I get a session cookie it is gone
when I close my browser down - something I usually have to do every few
days.
All that I put in a cookie is an encrypted hashed value. Everything
else is derivable at the server end. I also only ever set one cookie,
and associate all information with that, again at the server.
Regards,
Andrew.
--
--------------------------------------------------------------------
Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267