#25 simplified auth->start, no uid=form stat

[Giancarlo Pinerolo]

This is the new auth.inc.
You need to substitute this and the following
page.inc.

Changes in the API are being reduced at minimum.

The explanation follows
......

I was reflecting on the rationale behind this
intermediate state,
whenever a login or register form is showed out, The
auth object is
initialized with the
$auth->auth[uid]='form'
This is done in method start of auth class.
Then, only if this value is set to 'form', the
$auth->mode value
(reg/log) is tested, and a registration or a login is
attempted with the
data supplied.
This too is done within the start method of class auth.
All this is not taken into account if you provide your
own auth_preauth
function.

I don't know why this intermediate state has been
coded, I suppose there
can be some safety gains, and maybe you can point me to
some.
One I can think of is that you block
'post-and-register' submissions (in
fact is getsession-post-and-register), because that
value has to be set
to form.
What other can be the end of having that intermediate
state?
Is the end to forces you to have obtained already a
session before
sobmitting a login o register form.
As an aklternativa, to get the same, I think that you
could pass a
'session' input field, and the that has to contain a
valid session
value

But this causes a whole lot of problems, among which:
-you cannot simply show a login or register form
anywhere, 'cause it's
input won't be taken in consideration, not being
auth[uid]=='form'
-once a for is showed yu are stuck and need the
cancel_login button to
get clean

The auth->mode log/reg issue is very incumbrent too, at
least being it
handled from inside auth. You are stuck with the same
policy all over.
I'd prefer it to be decided by me, when I need to put
out a form. The
form should contain an input field, that can be named
'request', anv
value 'register' or 'authenticate' (the default).
Because otherwise, when the behavior is not the
intended, we have to dig
into method $auth->start, see what 'mode' value has
arrived down to
there (and hey, there are two $mode: one is auth->mode
the other is the
get param in the url ?mode=log that should serve to
force the show of a
form different from the one stated in $auth->mode...
quite complicated
at the moment).

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

This is the latest version.
default_auth is now a noop. Auth already does that

[Giancarlo Pinerolo]

auth.inc with no more 'nobody' case handled

[Giancarlo Pinerolo]

there's still something to be done

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

the SPLASHFORM behavior works with the unchanged
showoff.php3 example from the distribution

[Giancarlo Pinerolo]

example of handlink of deferred form showup

[Giancarlo Pinerolo]

page.inc for deferred form showup

[Giancarlo Pinerolo]

minimal explaination of usage

[Giancarlo Pinerolo]

example page.inc for global splash form behavior

[Giancarlo Pinerolo]

minimal explaination & usage

[Giancarlo Pinerolo]

new auth for php4 sess reg_glob off

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

This works with php 4 and register globals off. Both
blocking behaviour, SPLASH or deferred/conditional, work.

One single page inc for all cases, honours existing usage of
auth or default_auth classes

There exist a bug in actual auth resumption that prevents
phplib3 passing correctli among pages of the two types.
This should also fix that

[Giancarlo Pinerolo]

Some more explainations about that

[Giancarlo Pinerolo]

Some explaination and use, get this instead

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

This is the latest rationalized auth with the auth
resumption bug fixed in page.inc, and the _sleep function
to allow max compat with session4.

It is based on latest cvs, as of 10 Oct 2002, with the
patest patches applied to php-lib-stable, included support
for session4 and session4_custom

The new files with respect to the php-lib-stable are:

auth.inc
page.inc

and are provided also as separate text files

To try it, unpack under docroot, modify path in
pages/prepend.php3, dbuser and passwd in php/local.inc

[Giancarlo Pinerolo]

full pages and php dirs of latest session4 php-lib-stable

[Giancarlo Pinerolo]

page.inc

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

page inc with the resumption bug fixed, behaves as usual
(splashform).
For back compat cancel_login can be fixed here.

[Giancarlo Pinerolo]

auth.inc

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

auth inc with

__sleep function (necessary for all session4+auth users)

retionalized start method

check_feature method, checks same feature as persisted
auth.

Fixed switch state from auth/default_auth
fixed 'nobody' loginc
eliminated session_blocking login_in_progress state
(uid=form), can be enforced in page.inc
reviewed log/reg form request logic
and more

[Giancarlo Pinerolo]

start_actions block for user start(?)

[Giancarlo Pinerolo]

fixed start_actions

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

[Giancarlo Pinerolo]

addendum scripts in pages/ and php/ dirs over phplib-0.74.20021005.patches.tar.gz

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

The results are really great.
latest changes over Joe's snapshot of saturday:
phplib-0.74.20021005.patches which already contains fixed
for 'browser back button' and 'user4->register of
uninitialized variables bug'

Only the new files in php/ and pages/ are in this addendum.
You must diwnload and install Joe Stewart's snapshot at

http://phplib.sourceforge.net/snapshots/
http://phplib.sourceforge.net/snapshots/phplib-0.74.20021005.patches.tar.gz

then override the needed files from this
fix php/local.inc for db user/pass
modify pages/prepend.php3 for different phplib (3/4) version
modify pages/.htaccess to try register_globals On or off
open pages/defauth.php3

CHANGES
-fixed the login_if, it accept 3 values in get param, whose
name can be spacified in the final page, and will be
automatically parser away from the get QUERY_STRING
-tere is a new $auth var, urlaction, that contains the name
of this GET variable for the shunt loop Logout_and_Relogin
click action. This is the name of the GET var (default
"again"), that will be parsed and cleaned from QUERY_STRING
on resubmit.
-fixed session4.inc self_url(), to rely onto
HTTP_POST_VARS[Query_String] instead of env(QUERY_STRING).
this is because the HTTP_POST_VARS global can be rewritten,
and is in fact, to be cleaned and ready for loginform.

-a great default auth page, with logout/relogin in a single
click, or as before.

Guys, I worked months, included this cloudy sonday on it, my
head haches, and I need some glory. Please give it a try.

Gian

[Giancarlo Pinerolo]

Logged In: YES
user_id=163488

eContains only the files to add to cvs php-lib-stable or
snapshot.20021007
News:
-perm may exist before auth->start
-expire calculated at start from persistent last_renewal
instead of being inherited
-no E_NOTICE noticed
-defauth has more 'interesting variables'