[PHPLIB-DEV] cvs commit From: mbravo (phplib-dev <email protected>)
Date: 04/03/00

From: mbravo
Date: Mon Apr 3 12:40:28 2000
Modified files:
      php-lib/CHANGES
      php-lib/php/local.inc

Log message:
Cleaned up example of Crypt_Challenge_Auth in php.local.inc to work aith Auth_Sql.
It would be wonderful if someone could test it thoroughly.
Also added some comments and fixed some spellings in the same file.

Index: php-lib/CHANGES
diff -u php-lib/CHANGES:1.167 php-lib/CHANGES:1.168
--- php-lib/CHANGES:1.167 Thu Mar 30 16:57:56 2000
+++ php-lib/CHANGES Mon Apr 3 12:39:56 2000
@@ -1,4 +1,9 @@
-$Id: CHANGES,v 1.167 2000/03/30 14:57:56 kir Exp $
+$Id: CHANGES,v 1.168 2000/04/03 10:39:56 mbravo Exp $
+
+03-Apr-2000 mbravo
+ - cleaned up Challenge_Crypt_Auth example in php/local.inc
+ It would be wonderful if someone could test it thoroughly
+ Also a couple of spelling fixes in the same file
 
 30-Mar-2000 kir
   - Add and remove conditional templates feature ;-o
Index: php-lib/php/local.inc
diff -u php-lib/php/local.inc:1.32 php-lib/php/local.inc:1.33
--- php-lib/php/local.inc:1.32 Fri Nov 12 08:11:25 1999
+++ php-lib/php/local.inc Mon Apr 3 12:39:57 2000
@@ -5,7 +5,7 @@
  * Copyright (c) 1998,1999 NetUSE GmbH
  * Boris Erdmann, Kristian Koehntopp
  *
- * $Id: local.inc,v 1.32 1999/11/12 07:11:25 kk Exp $
+ * $Id: local.inc,v 1.33 2000/04/03 10:39:57 mbravo Exp $
  *
  * All functions in this file are example classes, which can be used
  * by your application to get you going. Once you get the hang of it,
@@ -31,6 +31,17 @@
   var $database_table = "active_sessions"; ## and find our session data in this table.
 }
 
+##
+## An example of Split_Sql container usage
+## You may need it if you expect significant amount of session-registered
+## data and there are restrictions on tuple size in your database
+## engine (e.g. like in Postgres)
+##
+## NB: session table name is different only for illustrative purposes,
+## so you wouldn't absent-mindedly confuse split session data and non-split
+## table structure is the same - if you are sure you won;t be switching
+## back and forth between containers, just use active_sessions
+
 #class Example_CT_Split_Sql extends CT_Split_Sql {
 # var $database_class = "DB_Example"; ## Which database to connect...
 # var $database_table = "active_sessions_split"; ## and find our session data in this table.
@@ -129,7 +140,7 @@
       $perm = $this->db->f("p_perms");
       $pass = $this->db->f("p_password");
     }
- $exspected_response = md5("$username:$pass:$challenge");
+ $expected_response = md5("$username:$pass:$challenge");
 
     ## True when JS is disabled
     if ($response == "") {
@@ -143,7 +154,7 @@
     }
     
     ## Response is set, JS is enabled
- if ($exspected_response != $response) {
+ if ($expected_response != $response) {
       $this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
       return false;
     } else {
@@ -156,65 +167,87 @@
 ##
 ## Another variation of Challenge-Response authentication,
 ## done slightly differently. This one does not keep cleartext
-## passwords in your database table. It uses a slightly different
-## authentication table format, thus a different table is being used.
+## passwords in your database table.
+## It uses new functions of Auth_Sql and supports different methods
+## of password encryption
+##
+## WARNING: it currently works only with md5 password encryption method
+## if you want to use other encryption methods available in Auth_Sql, you
+## will have to implement appropriate encryption functions in JavaScript
+## and modify crcloginform.ihtml to use these functions in
+## doChallengeResponse()
 
 class Example_Challenge_Crypt_Auth extends Auth {
   var $classname = "Example_Challenge_Crypt_Auth";
+
+ var $lifetime = 15;
+ var $mode = "reg"; ## can do "log" as well.
+ var $passenc = "md5"; ## there other enc. methods, but see comment
+ ## at the start of this class
 
- var $lifetime = 1;
+ var $nobody = false; ## change to true to enable default auth
 
   var $magic = "Frobozzica"; ## Challenge seed
   var $database_class = "DB_Example";
- var $database_table = "auth_user_md5";
+ var $database_table = "auth_user";
 
   function auth_loginform() {
- global $sess;
+ global $sess, $auth, $_PHPLIB, $PHP_SELF;
     global $challenge;
-
+ $this->translate_error();
+
     $challenge = md5(uniqid($this->magic));
     $sess->register("challenge");
     
- include("crcloginform.ihtml");
+ include($_PHPLIB["libdir"] . "crcloginform.ihtml");
   }
-
+
+
   function auth_validatelogin() {
- global $username, $password, $challenge, $response;
+ global $username, $password, $mode;
+ global $challenge, $response;
+
+ if (isset($mode) && $mode == "reg") {
+ $this->mode = "reg";
+ $this->auth["uname"] = $username;
+ $this->auth["error"] = "fill"; # Please fill in the required registration information. Thank you.";
+ return false;
+ }
 
- $this->auth["uname"]=$username; ## This provides access for "loginform.ihtml"
+ if(isset($username)) {
+ $this->auth["uname"]=$username; ## This provides access for "loginform.ihtml"
+ }
     
- $this->db->query(sprintf("select p_user_id,p_perms,p_password ".
- "from %s where p_username = '%s'",
+ $uid = false;
+
+ $this->db->query(sprintf("select p_user_id, p_pwenc, p_password, p_perms ".
+ " from %s ".
+ " where p_username = '%s' ",
                           $this->database_table,
                           addslashes($username)));
 
     while($this->db->next_record()) {
- $uid = $this->db->f("p_user_id");
- $perm = $this->db->f("p_perms");
- $pass = $this->db->f("p_password"); ## Password is stored as a md5 hash
- }
- $exspected_response = md5("$username:$pass:$challenge");
+ $pwenc = $this->db->f("p_pwenc");
+ $p = $this->db->f("p_password");
 
- ## True when JS is disabled
- if ($response == "") {
- if (md5($password) != $pass) { ## md5 hash for non-JavaScript browsers
- $this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
- return false;
- } else {
- $this->auth["perm"] = $perm;
- return $uid;
+ $salt = ($pwenc == "crypt")?substr($p, 0, 2):"";
+ $q = $this->password_encode($password, $pwenc, $salt);
+ $expected_response = md5("$username:$p:$challenge");
+
+ if ( ($response) ? ($expected_response == $response) : ($p == $q) ) {
+ $uid = $this->db->f("p_user_id");
+ $this->auth["perm"] = $this->db->f("p_perms");
+ break;
       }
     }
-
- ## Response is set, JS is enabled
- if ($exspected_response != $response) {
- $this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
- return false;
- } else {
- $this->auth["perm"] = $perm;
- return $uid;
- }
+ if ($uid == false)
+ $this->auth["error"] = "invalid"; # Either your username or password are invalid.<br>Please try again.";
+ else
+ SetCookie("auth_username", $username, pow(2, 31)-1, "/");
+
+ return $uid;
   }
+
 }
 
 ## An example implementation of a Perm subclass, implementing

-
PHPLIB Developers Mailing List. Send messages to <phplib-dev <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-dev-request <email protected>> in
the body, not the subject, of your message.