Class HTTPAuthSession

Description

A Class for handling a session using HTTP Basic Authentication

Located in /inc/HTTPAuthSession.php (line 17)


	
			
Variable Summary
 email $email
 fullname $fullname
 groups $groups
 user_no $user_no
Method Summary
 HTTPAuthSession HTTPAuthSession ()
 boolean AllowedTo (string $whatever)
 void AssignSessionDetails ( $principal, object $u)
 void AuthFailedResponse ([string $auth_header = ""])
 void CheckPassword ( $username,  $password)
 void GetRoles ()
 void ParseDigestHeader ( $auth_header)
Variables
email $email (line 32)

User e-mail

  • var: string
  • access: public
fullname $fullname (line 38)

User full name

  • var: string
  • access: public
groups $groups (line 44)

Group rights

  • var: array
  • access: public
user_no $user_no (line 26)

User ID number

  • var: int
  • access: public
Methods
Constructor HTTPAuthSession (line 50)

The constructor, which just calls the type supplied or configured

HTTPAuthSession HTTPAuthSession ()
AllowedTo (line 329)

Checks whether a user is allowed to do something.

The check is performed to see if the user has that role.

  • return: Whether or not the user has the specified role.
boolean AllowedTo (string $whatever)
  • string $whatever: The role we want to know if the user has.
AssignSessionDetails (line 353)

Internal function used to assign the session details to a user's new session.

void AssignSessionDetails ( $principal, object $u)
  • object $u: The user+session object we (probably) read from the database.
  • $principal
AuthFailedResponse (line 72)

Authorisation failed, so we send some headers to say so.

void AuthFailedResponse ([string $auth_header = ""])
  • string $auth_header: The WWW-Authenticate header details.
BasicAuthSession (line 98)

Handle Basic HTTP Authentication (not secure unless https)

void BasicAuthSession ()
CheckPassword (line 280)

CheckPassword does all of the password checking and returns a user record object, or false if it all ends in tears.

void CheckPassword ( $username,  $password)
  • $username
  • $password
DigestAuthSession (line 185)

Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)

Note that this will not actually work, unless we can either: (A) store the password plain text in the database (B) store an md5( username || realm || password ) in the database

The problem is that potentially means that the administrator can collect the sorts of things people use as passwords. I believe this is quite a bad idea. In scenario (B) while they cannot see the password itself, they can see a hash which only varies when the password varies, so can see when two users have the same password, or can use some of the reverse lookup sites to attempt to reverse the hash. I think this is a less bad idea, but not ideal. Probably better than running Basic auth of HTTP though!

void DigestAuthSession ()
GetRoles (line 337)

Internal function used to get the user's roles from the database.

void GetRoles ()
ParseDigestHeader (line 247)

Parse the HTTP Digest Auth Header

  • largely sourced from the PHP documentation

void ParseDigestHeader ( $auth_header)
  • $auth_header

Documentation generated on Fri, 13 Jan 2012 23:44:55 +1300 by phpDocumentor 1.4.3