Authenticating Your Users

Abstract

Authenticating user identities is common practice not only for security-related reasons, but also to offer customizable features based on user preferences and type. Typically, users are prompted for a username and password, the combination of which forms a unique identifying value for that user. In this chapter, you’ll learn how to prompt for and validate this information using a variety of methods, including a simple approach involving Apache’s htpasswd feature and approaches involving comparing the provided username and password to values stored directly within the script, within a file, and within a database. In addition, you’ll learn how to use the Auth_HTTP PEAR package, test password strength using the CrackLib extension, and recover lost passwords using a concept known as a one-time URL. In summary, the chapter concepts include:

• Basic HTTP-based authentication concepts

• PHP’s authentication variables, namely $_SERVER[‘PHP_AUTH_USER’] and $_SERVER[‘PHP_AUTH_PW’]

• Several PHP functions that are commonly used to implement authentication procedures

• Three commonplace authentication methodologies: hard-coding the login pair (username and password) directly into the script, file-based authentication, and database-based authentication

• Taking advantage of the Auth_HTTP package

• Testing password guessability using the CrackLib extension

• Recovering lost passwords using one-time URLs