Re: [phplib-users] PHP 5.2 and PHPlib
Brought to you by:
nhruby,
richardarcher
From: Andrew C. <ph...@ev...> - 2008-08-25 20:24:29
|
Lindsay Haisley wrote: > On Fri, 2008-08-22 at 21:14 -0700, aric caley wrote: >> I think the current default handing of sessions in PHP sucks. I just >> got bit by some security holes due to session handling. I think there >> is still a need for a top notch, efficient and flexible session >> handling system. > > The session handling in PHPlib is rooted in PHP3, before PHP implemented > native session management in v4. It's database-oriented, which it no > longer _needs_ to be, although I can conceive of situations in which it > might be advantageous to use db-based session management as opposed to > the native PHP session management. For some of my newer development, I built some wrappers around ADODB's session handling. ADODB is a PHP5 database abstraction library. That puts the session info in the database. As a database abstraction layer, ADODB is reputed to be one of the best, out performing the PEAR DB stuff by a large margin. >> I also like the authentication system and it doesnt seem like there's >> many other good auth systems out there. > > PEAR's Auth module is quite good. I believe it does challenge I wasn't entirely happy with any of the authentication systems I looked at. So, I ended up rolling my own. I do a number of things like require SSL, do challenge authentication, etc. I have it integrated with the session code (so there is one encrypted cookie). The wrappers I built support single sign-on (i.e., you can share the authentication session across multiple servers, if necessary). PHPlib's permissions system has been inadequate for several projects, resulting in some ugly work-arounds. So, I have been working with PHP gACL for some newer projects. That provides a much more flexible permissions system. It's a little difficult for a typical user to grasp, though. So, I have built some application-specific simplified interfaces for it. Conveniently, PHP gACL uses ADODB for database abstraction. Like a lot of people here, I think, I have a number of legacy applications built on PHPlib that I am not gung-ho to re-write. So, I am keen to see PHPlib keep going. I have looked at some of the frameworks and, some of them seem pretty good. It seems to require a commitment to doing everything their way, though and, I'm not sure that's for me. They all have weaknesses and, integrating the best-of-breed for any given component doesn't always work well. By contrast, I have always liked the loose coupling of the PHPlib components. Just my two cents. Andrew Crawford |