#native_company# #native_desc#

Session Management and Authentication with PHPLIB

By Chad Cunningham
on July 30, 2000

Let’s face it, web pages aren’t designed for interaction with users. At one
time or another, you’ve probably found yourself needing to know what user
you are dealing with, and some information about that user. But how do you
do it on the web? There are many ways, but most of them are either error
prone, or serious security risks. Passing around form data from page to
page can easily be sniffed, and even more easily forged. What is a
webmaster to do?
The simple answer is PHPLIB.
PHPLIB is a set of PHP classes that are
designed to make is easier to develop web based applications – things that
need interaction. This is provided by many classes, the most essential
being authentication, session management, permissions, and database

What You’ll Need

To use phplib, you need php installed on your server. Unlike basic
authentication, phplib works with either the cgi or the module. You will
probably need at least version 3.0.5 of php. Earlier cgi versions may work
if you compiled them with –enable-foce-cgi-redirect option. Otherwise, you
will get nothing but security errors. PHP also needs to be configured with
track_vars enabled. You will also need a database. PHPLIB currently
supports MySQL, Orace, ODBC, PostgreSQL, and Sybase.

How it Works

First and foremost, the classes need to be configured for your system. The
only file that has to be modified is the local.inc file included in the
distribution. It is filled in with a sample setup which can be used almost
as is, or can be modified as you want. Before setting it up though, it’s a
good idea to understand what is going on.
Each page that uses PHPLIB must first import all of the needed files. You
can do this with php’s auto_prepend feature if you have access to your
php.ini and you want the files included on EVERY page. If not, you can
specify an include directory in the php.ini, or just use the absolute path
to require the PHPLIB files. A sample file called prepend.php3 is included
in the distribution, which can be required at the top of each file to
include all of the other needed files.
At the top of each phplib page, you must make a call to the page_open
function. This initializes the features that you plan on using, more on
this later. A typical page_open call that gives authentication, session,
and permission capabilities looks like:


page_open(array("sess" => "Cms_Session""auth" => "Cms_Auth""perm" => "Cms_Perm"));


The keys of the array (sess, auth, perm) are the variable names you
will use to address the objects, and must be the standard variable names
phplib uses (sess, auth, perm…). The values are the names of the classes
you create in your local.inc. The page_open call must be before any output
to the browser, and you only need to put in the features that you are going
to use (if you’re not using authentication on the page, just leave that
part out). The script must end with a call to the page_close() function,
which writes all changes back to the database. If you forget the
page_close() call, you may find some things not working quite as expected…
Because phplib uses cookies to store information, your page_open() call
must be issued before ANY output is sent to the browser. Output can be
anything from html to blank lines. If you find yourself getting errors
which say something along the lines of “Oops – SetCookie called after
header has been sent” this means that there was some output before the
page_open was called. The typical culprits, and the hardest to find, are
blank lines outside of the <? and ?> tags in the included files. Check
your local.inc or prepend.php3 for blank lines at the end with vi, or
another editor which will show you these.