Christian Web Host, Java Programming - Cheap Web Hosting Blog

Chapter 5: Central Authentication System 149 Enter the newly created username and password and log in. If you cannot login, check to see if the user exists in the authentication database. Also, if the user is not active, the user cannot log in. You can check whether the active flag is working by toggling it using update statements such as follows from your MySQL database command line. The following code shows a MySQL command-line session, which sets the active flag to 0 (ACTIVE = 0) and again activates the admin user (ACTIVE = 1). $ mysql -u AUTH_DB_USERNAME -p -D AUTH_DB_NAME mysql> update users set ACTIVE = 0 where USERNAME = admin@example.com ; mysql> exit; $ mysql -u AUTH_DB_USERNAME -p -D AUTH_DB_NAME mysql> update users set ACTIVE = 1 where USERNAME = admin@example.com ; mysql> exit; You can test the logout application by simply calling it directly using the appropriate URL. For example, http://intranet.evoknow.com/php/logout/logout.php will log out a user session. Making Persistent Logins in Web Server Farms Organizations with Web server farms will have to use site-wide persistent logins to ensure that users are not required to log in from one system to another. Figure 5-8 shows a typical Web server farm. Web Server 1 Web Server 2 Load Balancer Web Server 3 Web Server n Figure 5-8: A typical Web server farm balances an organization s server workload.

148 Part II: Developing Intranet Solutions Testing Central Login and Logout To test the authentication system, you need to create users in the database. (User management applications are discussed Chapter 6.) To create a user using the MySQL command-line tool you can run commands such as the following: mysql -u root -p -D auth; Enter password: ***** mysql> insert into users (EMAIL, PASSWORD, ACTIVE, TYPE) values( admin@example.com , ENCRYPT( mysecret ), 1, 9); Here the first line tells mysql to connect you to the auth database using user- name root and a password which you have to enter when asked. Of course if you are not using root account for this database, you should replace the username as appropriate. Next at the mysql prompt, you can enter an INSERT statement as shown. Here the insert statement creates a user account called admin@example.com with password mysecret. You should change both the username and password to what you desire. The ACTIVE field is set to 1 to turn on the user and TYPE field is set to 9 to make this user an administrator. To create a regular user the TYPE field has to be set to 1. The insert statement inserts a user named admin@example.com with a password called mysecret and sets the user s status to active. The user type is set to 9, which is the highest-ranking user type. If you want to create new users using this script, then you have to change the username and password and run the script to produce the insert statement. After the user is added in the database you can run the login application from a Web browser. For example, Figure 5-7 shows the login application being called using the http://intranet.evoknow.com/php/login/login.php URL. Figure 5-7: The login application menu.

Chapter 5: Central Authentication System 147 # http://phpmyadmin.sourceforge.net/ (download page) # # Host: localhost # Generation Time: May 14, 2002 at 01:55 PM # Server version: 3.23.35 # PHP Version: 4.1.0 # Database : `auth` # —————————————————— # # Table structure for table `users` # CREATE TABLE users ( UID int(11) NOT NULL auto_increment, EMAIL varchar(32) NOT NULL default , PASSWORD varchar(128) NOT NULL default , ACTIVE tinyint(4) NOT NULL default 0 , TYPE tinyint(4) NOT NULL default 0 , PRIMARY KEY (UID), UNIQUE KEY EMAIL (EMAIL) ) TYPE=MyISAM COMMENT= User Authentication Table ; The table created using this script is described in Table 5-3. TABLE 5-3 THE USER TABLE FIELDS Field Details UID This is the user ID field. This is automatically generated. EMAIL This is the username field. We use e-mail as the username in the login because e-mail is easy to remember and always unique for each person in an organization. PASSWORD This is the encrypted password. ACTIVE This is the active (1 or 0) field. If the value is 1, then the user is active and can log in. Otherwise, she cannot log in. TYPE The type of user is specified using this field. The type can be a number. Currently, we assume that the number 9 is the highest- ranking user, such as the administrator. After this table is created, you can add a user, as explained in the following section, to test your login/logout applications.

146 Part II: Developing Intranet Solutions Creating the Central Authentication Database Before you can use the login and logout applications, you need to create the central authentication database and then add a user to it. The central authentication database information is stored in both login.conf and logout.conf files using the following configuration variables: $AUTH_DB_TYPE = mysql ; $AUTH_DB_HOST = localhost ; $AUTH_DB_NAME = auth ; $AUTH_DB_TBL = users ; $AUTH_DB_USERNAME = root ; $AUTH_DB_PASSWD = foobar ; In our example, the database type is mysql and the database host name is local- host, which means we re implementing the database on the same server as a MySQL database. If you want to use a different database host or a different database server such as Postgres or Oracle, you have to change these variables. For our example, I assume that you re using the given sample values for $AUTH_DB_TYPE, $AUTH_DB_HOST, $AUTH_DB_NAME, and $AUTH_DB_TBL. However, I strongly suggest that you use different $AUTH_DB_USERNAME and $AUTH_DB_PASSWD values for your database. Make sure that the user you specify in $AUTH_DB_USERNAMEhas the privilege to access (select, insert, update,and delete) $AUTH_DB_NAME on $AUTH_DB_HOST. You should test the user s ability to access this database using your standard database-access tools. For example, if you re using MySQL, you can run the command-line MySQL client as mysql -u root -p -D authto access the authentication database. Assuming that you re using the given settings, you can create a MySQL database called auth using the mysqladmin create auth command. You ll require appropriate permission to run mysqladmin or equivalent commands to create the auth database. Please consult your MySQL documentation for details. Now to create the $AUTH_DB_TBL (users) table you can run the users.sql script using mysql -u AUTH_DB_USERNAME -p -D AUTH_DB_NAME < auth.sql command. The auth.ddl script is shown in Listing 5-11. Listing 5-11: auth.sql # phpMyAdmin MySQL-Dump # version 2.2.5 # http://phpwizard.net/phpMyAdmin/

Chapter 5: Central Authentication System 145 require_once $APP_FRAMEWORK_DIR . / . $DEBUGGER_CLASS; require_once $APP_FRAMEWORK_DIR . / . $APPLICATION_CLASS; require_once $APP_FRAMEWORK_DIR . / . $ERROR_HANDLER_CLASS; require_once $APP_FRAMEWORK_DIR . / . $AUTHENTICATION_CLASS; require_once $APP_FRAMEWORK_DIR . / . $DBI_CLASS; require_once $APP_FRAMEWORK_DIR . / . $USER_CLASS; require_once $TEMPLATE_CLASS; ?> The logout application also has a logout.errors file, shown in Listing 5-9, and logout.messages file, shown in Listing 5-10. Listing 5-9: logout.errors The logout messages are displayed using the alert() method found in the class.PHPApplication.php object. Listing 5-10: logout.messages Now let s test our central login and logout applications.

144 Part II: Developing Intranet Solutions Listing 5-8 (Continued) $APP_FRAMEWORK_DIR=$_SERVER[ DOCUMENT_ROOT ] . /framework ; $PEAR =$_SERVER[ DOCUMENT_ROOT ] . /pear ; $PHPLIB =$_SERVER[ DOCUMENT_ROOT ] . /phplib ; // Insert the path in the PHP include_path so that PHP // looks for PEAR, PHPLIB and our application framework // classes in these directories ini_set( include_path , : . $PEAR . : . $PHPLIB . : . $APP_FRAMEWORK_DIR . : . ini_get( include_path )); $PHP_SELF = $_SERVER[ PHP_SELF ]; $LOGIN_TEMPLATE = login.html ; $APPLICATION_NAME = LOGIN ; $DEFAULT_LANGUAGE = US ; $AUTH_DB_URL = mysql://root:foobar@localhost/auth ; $ACTIVITY_LOG_TBL = ACTIVITY ; $AUTH_DB_TBL = users ; $MIN_USERNAME_SIZE= 3; $MIN_PASSWORD_SIZE= 3; $MAX_ATTEMPTS = 250; $FORGOTTEN_PASSWORD_APP = /user_mngr/apps/user_mngr_forgotten_pwd.php ; $APP_MENU = / ; $TEMPLATE_DIR = $_SERVER[ DOCUMENT_ROOT ] . /login/templates ; $REL_TEMPLATE_DIR = /login/templates/ ; $WARNING_URL = $TEMPLATE_DIR . /warning.html ; require_once login.errors ; require_once login.messages ; require_once DB.php ; require_once $APP_FRAMEWORK_DIR . / . constants.php ;

Chapter 5: Central Authentication System 143 app_auto_connect => TRUE, app_type => WEB , app_debugger => $OFF ) ); $thisApp->buffer_debugging(); $thisApp->debug( This is $thisApp->app_name application ); $thisApp->run(); $thisApp->dump_debuginfo(); ?> The logout.php application calls the is_authenticated() method of the class.PHPApplication.php object and, if the user is authenticated, it calls its own logout method. This method calls the session_unset() and session_destroy() methods, which are part of PHP s built-in session management API. The session_unset() method simply makes the session variables as if they were never set before. The effect of session_unset() in our login scenario is that session variables such as SESSION_USERNAME and SESSION_ATTEMPTS are unset. Similarly, the session_destroy() method removes the entire session (file or database record) from the session storage. The full effect is that the user loses her session and will need a new login session to work with applications that require the central login facility. The logout.php application uses the logout.conf file shown in Listing 5-8. This configuration file is very similar to the login.conf and requires no further explanation except that the $HOME_URL is a new entry. This variable sets the URL, which is used to redirect the logged out user to a central page. Typically this URL would be set to the home page of the intranet or Internet site. Listing 5-8: logout.conf

142 Part II: Developing Intranet Solutions Listing 5-7 (Continued) $template->set_var( TODAY , date( M-d-Y h:i:s a )); $template->set_var( TODAY_TS , time()); $template->set_var( USERNAME , $email); $template->set_var( REDIRECT_URL , $url); $template->set_var( FORGOTTEN_PASSWORD_APP , $FORGOTTEN_PASSWORD_APP); $template->parse( fh , mainBlock ); $template->set_var( BASE_URL , sprintf( %s ,$this->base_url)); $template->pparse( output , fh ); return 1; } function is_authenticated() { return (!empty($_SESSION[ SESSION_USERNAME ])) ? TRUE : FALSE; } function authenticate($user = null, $passwd = null) { $authObj = new Authentication($user, $passwd, $this->app_db_url); if ($authObj->authenticate()) { $uid = $authObj->getUID(); $this->debug( Setting user id to $uid ); $this->setUID($uid); return TRUE; } return FALSE; } } global $AUTH_DB_URL; $thisApp = new loginApp( array( app_name => $APPLICATION_NAME, app_version => 1.0.0 , app_type => WEB , app_db_url => $AUTH_DB_URL, app_auto_authorize => FALSE, app_auto_chk_session => FALSE,

Chapter 5: Central Authentication System 141 $this->debug( Redirect user to caller application at url = $url. ); } else { $this->debug( User failed authentication. ); $this->display_login(); $_SESSION[ SESSION_ATTEMPTS ] = $this->getSessionField( SESSION_ATTEMPTS ) + 1; } } } function warn() { global $WARNING_URL; $this->debug( Came to warn the user $WARNING_URL ); header( Location: $WARNING_URL ); } function display_login() { global $TEMPLATE_DIR; global $LOGIN_TEMPLATE; global $MAX_ATTEMPTS; global $REL_TEMPLATE_DIR; global $email, $url; global $PHP_SELF, $FORGOTTEN_PASSWORD_APP; $url = $this->getRequestField( url ); if ($this->getSessionField( SESSION_ATTEMPTS ) > $MAX_ATTEMPTS) { $this->warn(); } $this->debug( Display login dialog box ); $template = new Template($TEMPLATE_DIR); $template->set_file( fh , $LOGIN_TEMPLATE); $template->set_block( fh , mainBlock ); $template->set_var( SELF_PATH , $PHP_SELF); $template->set_var( ATTEMPT , $this->getSessionField( SESSION_ATTEMPTS )); Continued

140 Part II: Developing Intranet Solutions Listing 5-7 (Continued) } else if (strlen($email) < $MIN_USERNAME_SIZE || strlen($password) < $MIN_PASSWORD_SIZE) { // display the login interface $this->debug( Invalid Email or password. ); $this->display_login(); $_SESSION[ SESSION_ATTEMPTS ] = $this->getSessionField( SESSION_ATTEMPTS ) + 1; } else { // Prepare the email with domain name if (!strpos($email, )) { $hostname = explode( . , $_SERVER[ SERVER_NAME ]); if (sizeof($hostname) > 1) { $email .= . $hostname[1] . . . $hostname[2]; } } // authenticate user $this->debug( Authenticate user: $email with password $password ); if ($this->authenticate($email, $password)) { $this->debug( User is successfully authenticated. ); $_SESSION[ SESSION_USERNAME ] = $email; $_SESSION[ SESSION_PASSWORD ] = $password; $_SESSION[ SESSION_USER_ID ] = $this->getUID(); if (empty($url)) { $url = $APP_MENU; } // Log user activity $thisUser = new User($this->dbi, $this->getUID()); $thisUser->logActivity(LOGIN); $this->debug( Location $url ); header( Location: $url );