Using file-based authentication can eliminate the single username and password problem of the hard-coded
solution; however, there can still be limitations that must be considered in implementing this authentication
solution. The first things that needs to be created when using this solution to authentication is to create a
users text file. This file should be located in a directory that is not in or under the htdocs directory of the
web server (to eliminate someone being able to access the file through the website). It also needs to be in a
directory that the server can read and write from. For the example below, the /tmp directory will be used;
however, in production this directory should not be used because it is cleaned out every time the server
restarts and is easily accessible to anyone who can access the server.
The Users Text File
The following is the contents of the /tmp/auth_users.txt file:
Candance:90e0b2ef171cf8edd7f58527f3134f634ccb7091
Celine:44c40e17b33ee3fd125120b7ccddbeed2b2d7db3
Frank:ef1c3c9da92b9f869ea684808312525130c7f530
Granny:eaf7def567e8c7462a7f5530328016203409c474
Hank:70f7ec35e966287aefd78352828f21fc0c8fae33
Howard:38c260888790bbe43e7ec191fd90544d2c8c59d0
Jarel:c968edd668e273763e039a511b76609b195570fd
Mildred:a9e4af8f7113527a04defa057a7a65136cdae803
Pierre:72a3925b00f932dbe79e6ee99818b3556b27e88c
Roberta:160409a52594eab968f03a46019ea2ab8e9606a7
Rudy:70f08ceac2f2428e3f3b87e2bc5e23d2c3c6f447
Tawanda:b5a03cd9c9eaf136aa704e00008b60855903477f
Yogi:3234eec08278d9c9a22d7478f7adbe0d245dae45
The File-Based Authentication script
Prior to showing the example script for using file-based authentication, there are a few functions that need
to be discussed:
• file() - The file() function has one parameter, the location of the file to be read in entered as a string.
The function will read the contents of the file into an array, with every line being an array element.
• explode() - The explode() function is similar to the split() function, but does not require the use of
PHP's regular expression parsing engine, making it perform quicker. The explode() function has two
parameters. The first is the delimiter which will be searched for within the string (which is the second
parameter). The string is separated into an array based on the delimiter that is used.
• sha1() - This function calculates the sha1 hash of the string parameter (the only parameter for this
function) using the US Secure Hash Algorithm 1, and returns that hash. The hash is a 40-character
hexadecimal number.
The File-Based Authentication Script
<?php
// Preset the variable used to verify authentication
$authorized_user=FALSE;
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
// Read the authentication file into an array
$authArray = file("/tmp/auth_users.txt");
foreach ($authArray as $row) {
list($user,$pswd) = explode(":", $row);
// Remove the new line character from the password
$pswd = trim($pswd);
if (($_SERVER['PHP_AUTH_USER'] == $user) &&
(sha1($_SERVER['PHP_AUTH_PW']) == $pswd)) {
$authorized_user=TRUE;
break;
}
}
}
// Test to see if there is an authorized user
if (!$authorized_user) {
header('WWW-authenticate: Basic Realm="Photo Album"');
header('HTTP/1.0 401 Unauthorized');
print "You must provide a valid username and password!";
exit;
}
// Remainder of script
?>
In this example, the first portion of the script reads in the username and password variables along with the
usernames and passwords from the authorized users file. After looking at each authorized users file entry,
if the authentication variables do not match any of the user names or passwords, then the script moves on to
the next condition (which remains FALSE) and prints out some HTTP header information and text saying
that the username and/or password was not valid. It then exits the script and terminates the rest of the script
processing. If, though, the username and password are found in the authorized users file, then the test
variable is set to TRUE and the second condition is ignored and the remainder of the script is executed.
Limitations of File-Based Authentication
Although this method is much more robust over hard-coding authentication, it still has its limitations:
• Large Number Of Users - As the user base grows, so does the need to maintain and update the
authorized users file. This can become a maintenance time drain and/or a coding nightmare to parse
and edit with supporting code.
• Limited Infrastructure - The use of file-based authentication schemes are designed for relatively
small data infrastructures. As the data complexity grows, so does the problems associated with
connecting a flat-file (or multiple flat-files) with other data storage techniques (such as databases).
solution; however, there can still be limitations that must be considered in implementing this authentication
solution. The first things that needs to be created when using this solution to authentication is to create a
users text file. This file should be located in a directory that is not in or under the htdocs directory of the
web server (to eliminate someone being able to access the file through the website). It also needs to be in a
directory that the server can read and write from. For the example below, the /tmp directory will be used;
however, in production this directory should not be used because it is cleaned out every time the server
restarts and is easily accessible to anyone who can access the server.
The Users Text File
The following is the contents of the /tmp/auth_users.txt file:
Candance:90e0b2ef171cf8edd7f58527f3134f634ccb7091
Celine:44c40e17b33ee3fd125120b7ccddbeed2b2d7db3
Frank:ef1c3c9da92b9f869ea684808312525130c7f530
Granny:eaf7def567e8c7462a7f5530328016203409c474
Hank:70f7ec35e966287aefd78352828f21fc0c8fae33
Howard:38c260888790bbe43e7ec191fd90544d2c8c59d0
Jarel:c968edd668e273763e039a511b76609b195570fd
Mildred:a9e4af8f7113527a04defa057a7a65136cdae803
Pierre:72a3925b00f932dbe79e6ee99818b3556b27e88c
Roberta:160409a52594eab968f03a46019ea2ab8e9606a7
Rudy:70f08ceac2f2428e3f3b87e2bc5e23d2c3c6f447
Tawanda:b5a03cd9c9eaf136aa704e00008b60855903477f
Yogi:3234eec08278d9c9a22d7478f7adbe0d245dae45
The File-Based Authentication script
Prior to showing the example script for using file-based authentication, there are a few functions that need
to be discussed:
• file() - The file() function has one parameter, the location of the file to be read in entered as a string.
The function will read the contents of the file into an array, with every line being an array element.
• explode() - The explode() function is similar to the split() function, but does not require the use of
PHP's regular expression parsing engine, making it perform quicker. The explode() function has two
parameters. The first is the delimiter which will be searched for within the string (which is the second
parameter). The string is separated into an array based on the delimiter that is used.
• sha1() - This function calculates the sha1 hash of the string parameter (the only parameter for this
function) using the US Secure Hash Algorithm 1, and returns that hash. The hash is a 40-character
hexadecimal number.
The File-Based Authentication Script
<?php
// Preset the variable used to verify authentication
$authorized_user=FALSE;
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
{
// Read the authentication file into an array
$authArray = file("/tmp/auth_users.txt");
foreach ($authArray as $row) {
list($user,$pswd) = explode(":", $row);
// Remove the new line character from the password
$pswd = trim($pswd);
if (($_SERVER['PHP_AUTH_USER'] == $user) &&
(sha1($_SERVER['PHP_AUTH_PW']) == $pswd)) {
$authorized_user=TRUE;
break;
}
}
}
// Test to see if there is an authorized user
if (!$authorized_user) {
header('WWW-authenticate: Basic Realm="Photo Album"');
header('HTTP/1.0 401 Unauthorized');
print "You must provide a valid username and password!";
exit;
}
// Remainder of script
?>
In this example, the first portion of the script reads in the username and password variables along with the
usernames and passwords from the authorized users file. After looking at each authorized users file entry,
if the authentication variables do not match any of the user names or passwords, then the script moves on to
the next condition (which remains FALSE) and prints out some HTTP header information and text saying
that the username and/or password was not valid. It then exits the script and terminates the rest of the script
processing. If, though, the username and password are found in the authorized users file, then the test
variable is set to TRUE and the second condition is ignored and the remainder of the script is executed.
Limitations of File-Based Authentication
Although this method is much more robust over hard-coding authentication, it still has its limitations:
• Large Number Of Users - As the user base grows, so does the need to maintain and update the
authorized users file. This can become a maintenance time drain and/or a coding nightmare to parse
and edit with supporting code.
• Limited Infrastructure - The use of file-based authentication schemes are designed for relatively
small data infrastructures. As the data complexity grows, so does the problems associated with
connecting a flat-file (or multiple flat-files) with other data storage techniques (such as databases).
Comments
Post a Comment