melbourne chapter

A little while back I discussed the theory to how you can setup a Challenge/Response architecture using PHP and MVC pattern. This discussed ways of having the password hashed client side using a server issued “challenge” key to make a “response”. This allowed us to protect the password in clear text from being intercepted across a HTTP network.

Once we have the user we need to authenticate the details they have submitted. To do this the usual approach is to query a ‘user’ table in your database to check the corresponding username and password.

This is fine in most situations, but as systems scale we often find that maintaining this user table with current user/passwords can be a lot of trouble. Often in larger systems and organisations usernames and passwords are controlled centrally. This can be in the form of a directory service, such as LDAP. Some situations you may even use a RADIUS, SAMBA, PASSWD style or POP3.

Before we start worrying about connectivity to these servers, and overcoming the challenges of supporting all different protocols, we can look at a pre-written package written by the PEAR group.

PEAR::Auth

Pear Auth is a abstraction that allows us to connect to various authentication systems. It supports all of the above mentioned, as well as DB, IMAP, vpopmail and even SOAP (incase you already have a proprietory written authentication database - possibly even in a different language). It also allows us to extend and make our own driver, which can implement its own checking devices as required.

Using PEAR::Auth ensures that our authentication system stays abstract and scalable. It also overcomes issues of doubling up on username/passwords or the additional maintenance of our authentication DB. For those of you who wish to implement a HTTP style (like Apache .htaccess for your PHP) try checking out the PEAR::Auth_HTTP.

If your hosting service does not want to help you install PEAR into their include_paths of PHP, follow this guide to using libraries without requiring your hosting service to install. Remember, if you are using $_SESSION in your application, be careful of some of the security holes that are opened. Have a look at my discussion of Sessional Handling with PHP and read the resources I have linked to.

From here we need to correctly implement ACL to control the resources that the user accesses. (Updated: More on PHP and Access Control Lists)
To this point this has allowed us to create a fairly flexible and robust authentication system for your PHP application. You must still follow good security practise in your application to ensure that exploits are not openned. As mentioned in previous articles, PHP SEC is a good website on the discussion of PHP and Security. You should occasionally check out the articles posted to stay aware on the topic of security in your applications.