Re: [Phplib-users] Logged user on an unsecured page
Brought to you by:
nhruby,
richardarcher
From: <ed...@gm...> - 2005-03-19 00:59:10
|
Andreas Once again, thanks for your help. I found that phplib has somithing that works for what I wanted. It is the nobody flag that Auth supports. Creating a subclass of Auth (really subclass of MyAuth) and declaring the nobody flag as true, phplib "will not create a login screen to force a user to authenticate, but will authenticate the user silently as nobody". It worked great for me, it solves the problem (probably not the best way). Here's what the documentation describes: "Many applications want to use $auth and $perm objects to protect functionality on a page, but do want to make the unprotected part of this page available to users with no account. This presents a kind of dilemma, because you need $auth and $perm objects to protect functionality on a page, but you don't want a login screen to appear by default. Default authentication solves this dilemma by providing a special uid and uname "nobody", which is guaranteed to fail every permission check. If you set the nobody flag, $auth will not create a login screen to force a user to authenticate, but will authenticate the user silently as nobody. The application must offer a login button or other facility for users with accounts to change from that id to their real user id." I just found a problem with that solution. Due to the fact that the application "will authenticate the user silently as nobody", the user browsing the site is, in fact, authenticated. That creates a problem when going from an unsecured page to a secured one because the system has an authenticated user without any privileges. That's a problem, for example, showing a menu that is customized based on user roles or permissions. So, I needed to "logout" the nobody user at the end of the unsecured page (or secured unedr nobody Auth class), to force authenticate him when going to a really secured page. That logout at the end of every unsecured page must be a "special" logout. It cannot be a "normal" logout because the user authenticated on a secured page would get logged out to if go, for any reason, to the unsecured page. So, I must also overrides the normal logout to a special logout, that really performs the logout process, only if the current authentication corresponds to nobody authentication. It's easier that it sound and it works great.=20 So, the final solution was to secure the unsecured page using the Auth sub-class with the nobody flag activated and perform a "special" logout at the end of the unsecured page. Once again, it works great but it's probably not the best solution. Thanks again Andreas On Fri, 18 Mar 2005 22:23:12 +0100, Andreas Israel <an...@sp...> wr= ote: >=20 > Hello Eduardo,=20 >=20 > AFAIK there is no feature like this in the lib. I Have 3 ideas:=20 >=20 > 1. login_table=20 > * create a new table with user_id, login_time (timestamp), sess_id=20 > * extend the auth class method auth_validatelogin() method -->write=20 > logindata into this new table the data if login is successful=20 > * extend the logout features in a similar way like above=20 > * write an analyse function/class for the data=20 > ** join the sessions table on sess_id and the user_table on user_id=20 > *** gets logintime from the new table, and last "action" time from=20 > session table and username from user_table=20 > -->maybe this will produce some "dead" database entries, because of=20 > users not logged out and sessions garbage_collection=20 >=20 > 2. inspired by phpslash (http://sourceforge.net/projects/phpslash/)=20 > -->similar procedure as above, but in phpslash there is still a function= =20 > logwrite('LOGITEM', 'LOGDATA (browser, ip, whatever you wish)')=20 > --->maybe this is not reliable, for timed out sessions=20 >=20 > 3. usage of phpopentrackers (http://phpopentracker.de/en/index.php)=20 > current_activity feature=20 > * of course phpopentracker is a powerful tool, which can log much more,= =20 > but it is possible to setup what to log=20 > ** extend the auth class and log only if auth_validatelogin is successful= l=20 > -->this is easy to implement, but not really reliable, because=20 > current_activity times out after 3 minutes=20 > -->the advance of this idea is, you know there your users are=20 > I think a mixture of 1 and 2 is best.=20 >=20 > Have fun=20 >=20 > Andreas=20 >=20 > PS: maybe this feature is worth to put into cvs, when it is approved an= =20 > tested :)=20 >=20 > Eduardo Andr=E9s Alfonso Sierra schrieb:=20 >=20 >=20 > Hi=20 >=20 > For logging purposes I want to know who's logged on my system even on=20 > an unsecured page. Is it possible ?? How do I do that ??=20 >=20 > I've tried many way but the $sess, $user and $auth variables are never=20 > recognized on unsecured pages.=20 >=20 > How should I salution that ?=20 >=20 > Thanks in Advance=20 >=20 > Eduardo Alfonso=20 >=20 >=20 > -------------------------------------------------------=20 > SF email is sponsored by - The IT Product Guide=20 > Read honest & candid reviews on hundreds of IT Products from real users.= =20 > Discover which products truly live up to the hype. Start reading now.=20 > http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick=20 > _______________________________________________=20 > Phplib-users mailing list=20 > Php...@li...=20 > https://lists.sourceforge.net/lists/listinfo/phplib-users=20 >=20 > =20 >=20 >=20 >=20 >=20 >=20 > |