Strona główna Odkrywaj Pomoc
Zaloguj się
boarspring
/
repo_zf1
kopia lustrzana https://github.com/bluescreen/zf1-php7.2.git
2
0
Forkuj 1
Pliki Problemy 0 Wiki
Drzewo: 3bef036e99
Gałęzie Tagi
repo_zf1
/
documentation
/
manual
/
en
/
tutorials
/
multiuser-authentication.xml

multiuser-authentication.xml 6.6 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 
  1. <?xml version="1.0" encoding="UTF-8"?>
    2. 

  2. <!-- Reviewed: no -->
    3. 

  3. <sect1 id="learning.multiuser.authentication">
    4. 

  4.     <title>Authenticating Users in ZF</title>
    5. 

  5. 

  6.     <sect2 id="learning.multiuser.authentication.intro">
    7. 

  7.         <title>Introduction to Authentication</title>
    8. 

  8. 

  9.         <para>
    10. 

  10.             Once a web application has been able to distinguish one user from another by establishing a
    11. 

  11.             session, web applications typically want to validate the identity of a user.  The process
    12. 

  12.             of validating a consumer as being authentic is "authentication."  Authentication is made up
    13. 

  13.             of two distinctive parts: an identity and a set of credentials.  It takes some variation of
    14. 

  14.             both presented to the application for processing so that it may authenticate a user.
    15. 

  15.         </para>
    16. 

  16. 

  17.         <para>
    18. 

  18.             While the most common pattern of authentication revolves around usernames and passwords,
    19. 

  19.             it should be stated that this is not always the case.  Identities are not limited to
    20. 

  20.             usernames.  In fact, any public identifier can be used: an assigned number, social security
    21. 

  21.             number, or residence address.  Likewise, credentials are not limited to passwords.
    22. 

  22.             Credentials can come in the form of protected private information: fingerprint, eye retinal
    23. 

  23.             scan, passphrase, or any other obscure personal information.
    24. 

  24.         </para>
    25. 

  25. 

  26.     </sect2>
    27. 

  27. 

  28.     <sect2 id="learning.multiuser.authentication.basic-usage">
    29. 

  29.         <title>Basic Usage of Zend_Auth</title>
    30. 

  30. 

  31.         <para>
    32. 

  32.             In the following example, we will be using Zend_Auth to complete what is probably the most
    33. 

  33.             prolific form of authentication: username and password from a database table.  This
    34. 

  34.             example assumes that you have already setup your application using Zend_Application, and
    35. 

  35.             that inside that application you have configured a database connection.
    36. 

  36.         </para>
    37. 

  37. 

  38.         <para>
    39. 

  39.             The job of the Zend_Auth class is twofold.  First, it should be able to accept an
    40. 

  40.             authentication adapter to use to authenticate a user.  Secondly, after a successful
    41. 

  41.             authentication of a user, it should persist throughout each and every request that might
    42. 

  42.             need to know if the current user has indeed been authenticated.  To persist this data,
    43. 

  43.             Zend_Auth consumes Zend_Session_Namespace, but you will generally never need to interact
    44. 

  44.             with this session object.
    45. 

  45.         </para>
    46. 

  46. 

  47.         <para>
    48. 

  48.             Lets assume we have the following database table setup:
    49. 

  49.         </para>
    50. 

  50. 

  51.         <programlisting language="php"><![CDATA[
    52. 

  52. CREATE TABLE users (
    53. 

  53.     id INTEGER  NOT NULL PRIMARY KEY,
    54. 

  54.     username VARCHAR(50) UNIQUE NOT NULL,
    55. 

  55.     password VARCHAR(32) NULL,
    56. 

  56.     password_salt VARCHAR(32) NULL,
    57. 

  57.     real_name VARCHAR(150) NULL
    58. 

  58. )
    59. 

  59. ]]></programlisting>
    60. 

  60. 

  61.         <para>
    62. 

  62.             The above demonstrates a user table that includes a username, password, and also a
    63. 

  63.             password salt column.  This salt column is used as part of a technique called salting that
    64. 

  64.             would improve the security of your database of information against brute force attacks
    65. 

  65.             targeting the algorithm of your password hashing.
    66. 

  66.             <a href="http://en.wikipedia.org/wiki/Salting_%28cryptography%29">More information</a>
    67. 

  67.             on salting.
    68. 

  68.         </para>
    69. 

  69. 

  70.         <para>
    71. 

  71.             For this implementation, we must first make a simple form that we can utilized as the
    72. 

  72.             "login form".  We will use Zend_Form to accomplish this.
    73. 

  73.         </para>
    74. 

  74. 

  75. 

  76. <programlisting language="php"><![CDATA[
    77. 

  77. <?php
    78. 

  78. // located at application/forms/Auth/Login.php
    79. 

  79. 

  80. class Default_Form_Auth_Login extends Zend_Form
    81. 

  81. {
    82. 

  82.     public function init()
    83. 

  83.     {
    84. 

  84.         $this->setMethod('post');
    85. 

  85. 

  86.         $this->addElement(
    87. 

  87.             'text', 'username', array(
    88. 

  88.                 'label' => 'Username:',
    89. 

  89.                 'required' => true,
    90. 

  90.                 'filters'    => array('StringTrim'),
    91. 

  91.             ));
    92. 

  92. 

  93.         $this->addElement('password', 'password', array(
    94. 

  94.             'label' => 'Password:',
    95. 

  95.             'required' => true,
    96. 

  96.             ));
    97. 

  97. 

  98.         $this->addElement('submit', 'submit', array(
    99. 

  99.             'ignore'   => true,
    100. 

  100.             'label'    => 'Login',
    101. 

  101.             ));
    102. 

  102. 

  103.     }
    104. 

  104. }
    105. 

  105. ]]></programlisting>
    106. 

  106. 

  107.         <para>
    108. 

  108.             With the above form, we can now go about creating our login action for
    109. 

  109.             our authentication controller.  This controller will be called "AuthController", and
    110. 

  110.             will be located at application/controllers/AuthController.php.  It will have a single
    111. 

  111.             method called "loginAction" which will serve as the self-posting action.  In other words,
    112. 

  112.             regardless of the url was POSTed to or GETed to, this method will handle the logic.
    113. 

  113.         </para>
    114. 

  114. 

  115.         <para>
    116. 

  116.             The following code will demonstrate how to construct the proper adapter, integrate it
    117. 

  117.             with the form:
    118. 

  118.         </para>
    119. 

  119. 

  120.         <programlisting language="php"><![CDATA[
    121. 

  121. class AuthController extends Zend_Controller_Action
    122. 

  122. {
    123. 

  123. 

  124.     public function loginAction()
    125. 

  125.     {
    126. 

  126.         $db = $this->_getParam('db');
    127. 

  127. 

  128.         $loginForm = new Default_Form_Auth_Login($_POST);
    129. 

  129. 

  130.         if ($loginForm->isValid()) {
    131. 

  131. 

  132.             $adapter = new Zend_Auth_Adapter_DbTable(
    133. 

  133.                 $db,
    134. 

  134.                 'users',
    135. 

  135.                 'username',
    136. 

  136.                 'password',
    137. 

  137.                 'MD5(CONCAT(?, password_salt))'
    138. 

  138.                 );
    139. 

  139. 

  140.             $adapter->setIdentity($loginForm->getValue('username'));
    141. 

  141.             $adapter->setCredential($loginForm->getValue('password'));
    142. 

  142. 

  143.             $result = $auth->authenticate($adapter);
    144. 

  144. 

  145.             if ($result->isValid()) {
    146. 

  146.                 $this->_helper->FlashMessenger('Successful Login');
    147. 

  147.                 $this->redirect('/');
    148. 

  148.                 return;
    149. 

  149.             }
    150. 

  150. 

  151.         }
    152. 

  152. 

  153.         $this->view->loginForm = $loginForm;
    154. 

  154. 

  155.     }
    156. 

  156. 

  157. }
    158. 

  158. ]]></programlisting>
    159. 

  159. 

  160.         <para>
    161. 

  161.             The corresponding view script is quite simple for this action.  It will set the current
    162. 

  162.             url since this form is self processing, and it will display the form.  This view script is
    163. 

  163.             located at application/views/scripts/auth/login.phtml:
    164. 

  164.         </para>
    165. 

  165. 

  166.         <programlisting language="php"><![CDATA[
    167. 

  167. <?php
    168. 

  168. 

  169. $this->form->setAction($this->url());
    170. 

  170. echo $this->form;
    171. 

  171. ]]></programlisting>
    172. 

  172. 

  173.         <para>
    174. 

  174.             There you have it.  With these basics you can expand the general concepts to include
    175. 

  175.             more complex authentication scenarios.  For more information on other Zend_Auth adapters,
    176. 

  176.             have a look in <link linkend="zend.auth">the reference guide</link>.
    177. 

  177.         </para>
    178. 

  178. 

  179.     </sect2>
    180. 

  180. 

  181. </sect1>
    182. 

  182.