HttpAuthPlus: Authentication | Administration | Method Documentation

Authentication with HttpAuthPlus

Any file that you wish to protect must first have the 'HttpAuthPlus_class.php' included in it.
To do this simply add the following to the top of any php document that needs protecting:

require_once('path/HttpAuthPlus_class.php');

Take note of these files as you will be adding some additional code to do the actual authenticating later. This step simply gives the script the ability to use the Authentication features of HttpAuthPlus. After that you must decide what authentication scheme you are going to use...

HttpAuthPlus has two modes of authenticating:

1. Using HttpAuthPlus to authenticate against a flat-file.

If using this method you do not need to include the PEAR DB.php file, so open HttpAuthPlus_class.php in your favorite php editor and comment out the line underneath the copywrite that reads:

require_once('DB.php');

It should now look like:

#require_once('DB.php');

The next step is creating an instance of the HttpAuthPlus object, and setting a few parameters before we actually perfom the authentication. We do this by adding the following to the top (anywhere before any output is sent to the browser is fine):

$login = new HttpAuthPlus;
$login->setAuthType('file');
$login->setAuthFile('C:\pathto\passwordfile.txt');
$login->AuthUser();
# the rest of your
# 'protected' code here...

The above example is pretty straight forward.

$login = new HttpAuthPlus; // creates a new instance of the HttpAuthPlus object
$login->setAuthType('file'); // sets the authentication against a flat-file instead of database(default)
$login->setAuthFile('C:\pathto\passwordfile.txt'); // the file to authenticate against; if it does not exist, it is created.

$login->AuthUser(); // performs the actual authentication.

The default format of the file created by HttpAuthPlus is:

username|password|email\n

This field delimeter can be altered using the setFieldDel($delimeter) method. If you do decide to use an alternate delimeter when first creating your password file, all subsequent authentication,add,edit,delete methods must have the setFieldDel($delimeter) set to match what is currently being used for the password file. This must be done before making any calls to the authenticate,add,edit,delete methods.The default is the '|' character.

By default HttpAuthPlus stores passwords in plain text. This is a security risk, and you should encrypt your passwords by using the setAuthEncrypt() method to change the default behavior. This is done like so:

$login = new HttpAuthPlus;
$login->setAuthType('file');
$login->setAuthFile('C:\pathto\passwordfile.txt');
$login->setAuthEncrypt('crypt');
$login->AuthUser();
# the rest of your
# 'protected' code here...

Notice the 4th line:

$login->setAuthEncrypt('crypt');

This changes the way in which passwords are stored & compared from plain-text to an encrypted form. It uses the first two letters of the username for salt & php's crypt() function. This only protects against the password file itself being directly read. Packet sniffers will still be able to pick the username & password on it's way to the server.

Refer to Method Documentation for further details and options for file-based authentication.

2. Using HttpAuthPlus to authenticate against a database.

If using this method (the default) you need to include the PEAR DB.php file, so if it is not already in your PATH, open HttpAuthPlus_class.php in your favorite php editor and edit the line underneath the copywrite that reads:

require_once('DB.php');

To point to 'DB.php'. After that we create an instance of the HttpAuthPlus object, set a few parameters and authenticate. This is done by adding the following lines to the top (before any output to the browser) of any script you wish to protect:

$login = new HttpAuthPlus;
$login->setAuthEncrypt('crypt');
$login->setDbType('mysql');
$login->setDbHost('localhost');
$login->setDbUser('username');
$login->setDbPass('password');
$login->setDbName('databasename');
$login->setUsernameField('username_field');
$login->setPasswordField('password_field');
$login->setEmailField('email_field');
$login->setDbInitStr();
$login->setTableName('tablename');
$login->AuthUser();
# the rest of your 'protected' code here....

The above example is pretty straight forward...

$login = new HttpAuthPlus; // create a new instance of the HttpAuthPlus object
$login->setAuthEncrypt('crypt'); // set the authentication to 'crypt' or 'plain-text'
$login->setDbType('mysql'); // sets the type of database to use
$login->setDbHost('localhost'); // the hostname or IP of the database server
$login->setDbUser('username'); // the username for connecting to the server
$login->setDbPass('password'); // the password for connecting to the server
$login->setDbName('databasename'); // the name of the database to use
$login->setUsernameField('username_field'); // the name of the field that contains the username
$login->setPasswordField('password_field'); // the name of the field that contains the password
$login->setEmailField('email_field'); // the name of the field that contains the email address
$login->setDbInitStr(); // builds the DSN string; must be called after initializing the database variables
$login->setTableName('tablename'); // the name of the table that stores usernames,passwords,emails
$login->AuthUser(); // carries out the authentication against the database
# the rest of your 'protected' code here....

Refer to Method Documentation for further details and options for database authentication.

HttpAuthPlus: Authentication | Administration | Method Documentation