Public Member Functions | |
| GenieGate_Api_Login ($DBLink=FALSE, $DBName=FALSE) | |
| Constructor. | |
| login ($groups=array()) | |
| Attempt a login. | |
| passiveLogin ($groups=array()) | |
| Like login, without the prompt and without the exit. | |
| logout () | |
| Clears user info from the session. | |
| setPromptView (&$view) | |
| Assign a PHP document to be used for creating the login form. | |
| prompt () | |
| Create the login box and exit. | |
| lookupUser ($uid) | |
| Get the details of a user (by user ID). | |
Public Attributes | |
| $DBH | |
| Database handle. | |
| $DBN | |
| Database name. | |
| $FORM_USERID = "GG_USERID" | |
| The name of the form variable that is inspected for the user ID. | |
| $FORM_PASSWORD = "GG_PASSWORD" | |
| The name of the form variable that is inspected for the password. | |
| $VIEW = FALSE | |
| The view to use when presenting a login form. | |
| $SESSION_VARIABLE = "GG_USERACC" | |
| Session variable that is used to store the login info. | |
| $REALM = "Restricted" | |
| Realm to use for the Login box. | |
| $USE_HTTP_AUTH = TRUE | |
| Set this to FALSE if you do not want the HTTP authentication to be used. | |
| $CHECK_IP = FALSE | |
| Whether or not to verify IP number is the same as the last time a login was attempted. | |
| $DB_PERSISTANT = TRUE | |
| Whether or not to try and connect with mysql_pconnect() instead of mysql_connect() (The pconnect can be more effecient, but introduce other problems). | |
| $ALLOW_CACHE = FALSE | |
| Whether to cache the user in session. | |
| $SESSION_KEY_NAME = "GGSESKEY" | |
| Name of cookie for the session key. | |
This uses forms, sessions, cookies and standard HTTP authentication to log in.
It is virtually as easy as placing $G->login(); in the header of your PHP code.
The login() method will show a login form on failure. Although there is a default HTML form included here, you can use the setPromptView() method to create your own custom form, this setPromptView() accepts either a string containing a PHP file to be included, or an object that supports a display() method. (this object should also provide a param($k,$v) method for future versions)
Alternatively, you could extend this class and provide your own prompt() method.
The cookies are the standard PHPSESSID and a GGSESKEY. GGSESKEY contains a "session key" which is used to match against the key stored within the session.
Session based logins have a common flaw, anyone who is able to gain access to the session ID can gain access to that users account without the password.
Here is how Session authentication works to combat this:
The GGSESKEY cookie is set to a unique ID. (if not already set)
Login looks in the session data for a ciphered version of that key, if they match it is reasonable to assume the login is OK.
If logging in for the first time, store a ciphered version of that session key within the session data, so, anyone who might have access (on the server) can't gain access by examining that key.
If you are really paranoid about security, you should set $CHECK_IP to TRUE, which is a way of saying "This session is only good for the current users IP address." (this will cause problems for some users, so it is by default set to FALSE)
Definition at line 194 of file Login.php.
|
||||||||||||
|
Constructor. The database link and database name are optional, but recommended. (if none given it just calls mysql_[p]connect(), but only when it is needed.)
According to the PHP documentation, ini_set() can be used to set the properties:
|
|
|
Attempt a login.
Definition at line 341 of file Login.php. References passiveLogin(), and prompt(). |
|
|
Clears user info from the session. Call this method if you wish to remove all the session info from the user. |
|
|
Get the details of a user (by user ID). Checks the database for user uid and returns a GenieGate_Api_User object (if found) otherwise, returns FALSE. Use this method if you want lower level access, that is, you want to manually check the user for validation. Otherwise login() and passiveLogin() are probably more in line with what you require.
|
|
|
Like login, without the prompt and without the exit. Use this if you require a login that does not exit automatically. This looks at the form variables for the username/password pair, checks the session, or inspects PHP_AUTH_USER for the credentials.
Definition at line 360 of file Login.php. Referenced by login(). |
|
|
Create the login box and exit. This method tries to send out the headers for authentication. (The login box) it also displays the HTML needed for creating a login form. There are 2 ways to alter the beahavior: 1.) use setPromptView() to create custom HTML. 2.) extend Api_GenieLogin, and implement the prompt() method to do as you like. Definition at line 443 of file Login.php. Referenced by login(). |
|
|
Assign a PHP document to be used for creating the login form. The parameter $view may be a string OR an object that supports a display() method. (Like UaView) If it's an object, it's display() method will be invoked to show the login box. If it's a string, the file is simply include()'d.
|
|
|
Whether to cache the user in session. If set to FALSE, the user will be looked up each time, this has the advantage that user group changes take effect immediately, but has the disadvantage that the user has to be looked up in the database each time. For performance, set it to TRUE. |
|
|
Whether or not to verify IP number is the same as the last time a login was attempted. The advantage to doing this is that it may help prevent session ID hi-jacking. The disadvantage is it will force users from dynamic IP's to login again, and can cause weird issues with proxy servers and such. |
|
|
The name of the form variable that is inspected for the password. This is the name of the form variable that is inspected for the users password. If the name interferes with your web page, you may change it here. |
|
|
The name of the form variable that is inspected for the user ID. If this form variable is presnt, it will be picked up as the user ID during the login phase.
In the event that the form variable
|
|
|
Realm to use for the Login box. This is shown on the login dialog box in the browser. |
|
|
Name of cookie for the session key. The session key is used to help prevent session hi-jacking. It is compared to a session key stored in the users $_SESSION to determine if a user has hijacked it. If you happen to be using a cookie with the same name you can change it here. |
|
|
Session variable that is used to store the login info. This is a name of the key to use, defaulting to "GG_USERACC". If you happen to be using a session variable of the same name, you can change this. Data related to the user is stored in $_SESSION[$SESSION_VARIABLE]. |
|
|
Set this to FALSE if you do not want the HTTP authentication to be used. (the login dialog box) |
|
|
The view to use when presenting a login form. the proper way to set this is to use setPromptView().
|
Documentation generated by DoxyGen