A Class for handling a session using HTTP Basic Authentication
Located in /inc/HTTPAuthSession.php (line 17)
The constructor, which just calls the type supplied or configured
Checks whether a user is allowed to do something.
The check is performed to see if the user has that role.
Internal function used to assign the session details to a user's new session.
Authorisation failed, so we send some headers to say so.
Handle Basic HTTP Authentication (not secure unless https)
CheckPassword does all of the password checking and returns a user record object, or false if it all ends in tears.
Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)
Note that this will not actually work, unless we can either: (A) store the password plain text in the database (B) store an md5( username || realm || password ) in the database
The problem is that potentially means that the administrator can collect the sorts of things people use as passwords. I believe this is quite a bad idea. In scenario (B) while they cannot see the password itself, they can see a hash which only varies when the password varies, so can see when two users have the same password, or can use some of the reverse lookup sites to attempt to reverse the hash. I think this is a less bad idea, but not ideal. Probably better than running Basic auth of HTTP though!
Internal function used to get the user's roles from the database.
Parse the HTTP Digest Auth Header
Documentation generated on Fri, 13 Jan 2012 23:44:55 +1300 by phpDocumentor 1.4.3