[Phplib-users] a bug is it
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] a bug is it
|
From: Giancarlo <gia...@na...> - 2002-09-27 08:27:41
|
Can you please give it a try?
Read the page.inc, and compare to any other page.inc, and you find why the
auth object with a different class name and a nobody property no among
persistent_slots, could not be reinstantiated as needed with php4's
freeze/thaw practice. e
This explain why auth and default auth switching does not work, and probably
could not even with php3lib
my POP server is damn down
Gian
I forward pieces of previous messages and explainations on this. I solved
this into my auth, but it may regard phplib too
24,28c26,52
<
< if (!is_object($auth)) {
< $auth = new $feature["auth"];
< }
< $auth->start();
---
> $auth_slots=$auth->auth;
> $auth = new $feature["auth"];
> echo "TROVATA auth->classname ".$auth->classname."<br>";
> echo "trovata auth->auth[uid] ".$auth->auth["uid"]."<br>";
> $auth->auth=$auth_slots;
>
>
>
> if ($auth->start() )
> {
> $LOGGED_IN=true;
> }
> else
> {
> if ($auth->nobody)
> {
> $LOGGED_IN=false;
> }
> else
> {
> page_showform(); ### splash the form
> $sess->freeze(); ### save state
> exit;
> }
> }
Ithink this applied to any php4 implentation we have, where default_auth does
not work.
Gian
-------------------------------------------------------
---------- Messaggio inoltrato ----------
Subject: MO: auth for php4
Date: Fri, 27 Sep 2002 01:43:02 +0200
From: Giancarlo <gia...@na...>
To: Dr Tarique Sani <ta...@sa...>
Cc: Joe Stewart <jo...@be...>, Chris Johnson <ch...@ch...>
I have added some comments to my code in the previous:
> Read the page.inc, and compare to any other page.inc, and you find why the
> auth object with a different class name and a nobody property no among
> persistent_slots, could not be reinstantiated as needed with php4's
> freeze/thaw practice
>
>
> 24,28c26,52
Prevoius code:
-------------
> <
global $auth; is just here
> < if (!is_object($auth)) {
> < $auth = new $feature["auth"];
> < }
> < $auth->start();
> ---
If the auth object does not exist, generate a new one
If it exists, it has ALL the properties of that left peristent by a previous
page
New code
-------
global $auth; is just here
> > $auth_slots=$auth->auth;
save the $auth->auth array, as retrieved from persistance
> > $auth = new $feature["auth"];
start a new $auth object as instructed by the page_open funct
can be a different than the one stored, eg have nobody=true, or a
differebt classname
> > $auth->auth=$auth_slots;
merge back the persistent auth->auth array into the type of $auth
obj we have just generated. The nobody's field is not there.
> > if ($auth->start() )
if start method returns true we either:
are already authed and auth is not expired
have just submitted the correct login fields and are auther
have just posted correct reginfo and are authed
> > {
> > $LOGGED_IN=true;
if you need to use it, anycase.
> > }
> > else
He is or has not logged in
> > {
> > if ($auth->nobody)
if this page uses default_auth
> > {
> > $LOGGED_IN=false;
for later use,
> > }
> > else
> > {
if this page didn't use default auth, block
> > page_showform(); ### splash the form
> > $sess->freeze(); ### save state
> > exit;
> > }
> > }
PS, for some reason I cannot get mail now.
You have to consider this even if you don't mean to adopt a new auth.
As phplib is now, even session3, doesn't allow to have different 'areas'
with different access methods: blocking or interinal(?), You have to choose
one or another. Do you think this mught have been caused by this?
Can we provide some guidelines also for security? I noticed Michael's Chaney
latest message whe he sad his phpauth unsets the db obj before page_close,
and I was VERY demoralized when I saw all the db connection details in
plaintext in an autheed /tmp/sess_ file
There are obviously object persistence and resumption techniques that we have
to learn, and be aware of, with php4.
Gian
-------------------------------------------------------
---------- Messaggio inoltrato ----------
Subject: auth for php4
Date: Fri, 27 Sep 2002 01:13:28 +0200
From: Giancarlo <gia...@na...>
To: Dr Tarique Sani <ta...@sa...>
Cc: Joe Stewart <jo...@be...>, Chris Johnson <ch...@ch...>
I am sorry to disturb you with a piece of attachment here, but this is the
snapshot of something I really was looking for.
This is wat needed to run, gunzip under document root ;-), modify only
path prepend.php3 in the pages dir, local.inc, open the index in the pages
dir.
scripts are full of debug comments.
This is quite my new auth, but what is more important is I found a bug in the
way auth object resumption was made. I explained that better in my last
mesage to the list
<snip>
When phplib sess stores the object, it stores text, wich is in fact code that
is evalued at runtime. This text says: generate a new class by that class
name, and instantiate these varalues and properties. It does not reinsantiate
all properties, but only those that were marked as persistent_slots. In
practice it generates a new object with the name and definition available at
runtime, and merges into theat the persistent_slots found.
php4, on the other hand, stores full object and reinstiantiates them
automatically at startup, with all the values like they were. At runtime
these values are reloaded, ALL the values are taken back. It is not a merge.
I think this is a major difference
</snip>
Now the two page.inc_DEFERFORM and page.inc.SPLASHFORM are merged i a single,
and it should be capable, upon seeing if his own class supports 'nobody', to
manage one or the other behaviour. Of course, de deferred behavioir can be
customized, I simply use a global $IS_LOGGED variable for use later.
So it is somehow backwards compat, because it honourd scripts that already
use one or both the two existing different auth classes
|
