Auth

Creating an authentication system.

The PEAR::Auth package provides methods for creating an authentication system using PHP. Currently it supports the following storage containers to read/write the login data: * All databases supported by the PEAR database layer * All databases supported by the MDB database layer * All databases supported by the MDB2 database layer * Plaintext files * LDAP servers * POP3 servers * IMAP servers * vpopmail accounts * RADIUS * SAMBA password files * SOAP * PEAR website MJ Martin Jansen mj@php.net lead jflemer James E. Flemer jflemer@acm.jhu.edu developer yavo Yavor Shahpasov yavo@siava.org lead aashley Adam Ashley php@adamashley.name lead 1.3.2 2006-08-31 PHP License stable * Fixed Bug #8524: Notice from attempting to perform string operation on what might be an array in DB, DBLite, MDB and MDB2. Thanks to dozoyousan at gmail dot com. * Remove debug message from RADIUS Container when using CHAP_MD5 or MSCHAPv1 style passwords. Thanks to Stoyan Stefanov <ssttoo at gmail dot com> for pointing out this 3yr old bug. File_Passwd Net_POP3 DB MDB MDB2 Auth_RADIUS Crypt_CHAP File_SMBPasswd imap vpopmail 1.3.1 2006-08-21 PHP License stable * Fixed Bug #7031: session_regenerate_id() not cleaning up old session storage. Fix for this bug in PHP5.1.0+ has been done, still a problem in older versions of PHP. * Fixed Bug #7421: Allow false to be passed in for allowLogin and advancedSecurity options. * Fixed Bug #7434: Enable start_tls support for LDAP Container by Stuart Prescott <php.net@nanonanonano.net> * Fixed Bug #7537: Made File Container capable of using all File_Passwd backends. * Fixed Bug #7841: Added missing </center>. Really the whole frontend needs reworking. * Fixed Bug #7860: Removed deprecated session_register call. * Fixed Bug #7899: sessionValidThru() returning incorrect value when no idle timeout set. * Fixed Bug #7956: Session handling had several security bugs before PHP4.3.3. Bumped PHP dependancy so we don't have to deal with them. * Fixed Bug #8076: MDB & MDB2 Containers not using default db_fields values * Fixed Bug #8351: Documentation of $loginFailedCallback pointed to incorrect set function. * Fixed Bug #8406: Error message updates by Adam Harvey <pear@adamharvey.name> * Fixed Bug #8407: Database containers don't quote table/field names by Adam Harvey <pear@adamharvey.name> 1.3.1RC1 2006-08-11 PHP License beta This release candidate is test the numerous fixes described below. It is also to get feedback on the change made for Bug #8407. Bug #8407 adds automatic quoting of table and field names used in SQL in the Database backends. * Fixed Bug #7031: session_regenerate_id() not cleaning up old session storage. Fix for this bug in PHP5.1.0+ has been done, still a problem in older versions of PHP. * Fixed Bug #7421: Allow false to be passed in for allowLogin and advancedSecurity options. * Fixed Bug #7434: Enable start_tls support for LDAP Container by Stuart Prescott <php.net@nanonanonano.net> * Fixed Bug #7537: Made File Container capable of using all File_Passwd backends. * Fixed Bug #7841: Added missing </center>. Really the whole frontend needs reworking. * Fixed Bug #7860: Removed deprecated session_register call. * Fixed Bug #7899: sessionValidThru() returning incorrect value when no idle timeout set. * Fixed Bug #7956: Session handling had several security bugs before PHP4.3.3. Bumped PHP dependancy so we don't have to deal with them. * Fixed Bug #8076: MDB & MDB2 Containers not using default db_fields values * Fixed Bug #8351: Documentation of $loginFailedCallback pointed to incorrect set function. * Fixed Bug #8406: Error message updates by Adam Harvey <pear@adamharvey.name> * Fixed Bug #8407: Database containers don't quote table/field names by Adam Harvey <pear@adamharvey.name> 1.3.0 2006-03-03 PHP License stable This is the final stable release of Auth 1.3.0. This version contains many new features over previous versions. Summary of changes: * New MDB2 container [30/March/2004 - quipo] * New PEAR container, authenticate against pear.php.net [16/Dec/2003 - yavo] * New Advanced Security mode to catch man-in-the-middle attacks. * Added options for changing the post variables, patch supplied by Moritz Heidkamp <moritz.heidkamp@invision-team.de> * New DBLite container, same as DB but with the user manipulation functions removed (50% smaller). * Split login form to Auth_Frontend_HTML with goal to make it easily customisable. Numerous other small fixes and improvements to all storage containers thanks to the following people: Matt Eaton, Jeroen Houben, Cipriano Groenendal, Markku Turunen, Matthew Van Gundy, marc at practeo dot ch and I'm sure many others that have contributed over the years it's taken to get this release out. 1.3.0RC7 2006-03-01 PHP License beta This release is primarily a coding standard clean-up before the 1.3.0 final release. In addition the following improvements to the LDAP Container where supplied by Hugues Peeters <hugues.peeters@claroline.net>. * Changed default attrformat to AUTH so that loaded attributes are presented in the same format as other backends provide. * Added compatibility support to 1.2 style configuration options * Attributes option now accepts a comma seperated string as well as as array the same as db_fields in the DB, MDB and MDB2 backends. Finally there are additional checks that the relevant PHP module is loaded when loading the IMAP and VPOPMail Containers. 1.3.0RC6 2006-02-22 PHP License beta 1.3.0r5 2006-02-21 PHP License beta * Fixed Bug #2873: Allow calling programs to gracefully handle being unable to connect/bind to LDAP server. * Fixed Bug #4918: Added support to specify which authentication method to prefer when authenticating against a POP3 backend. * Fixed Bug #6644: Added support for LDAP_OPT_REFERRALS. Setting to false can improve compatibility with Active Directory. * Fixed Bug #6791: Made all calls to call_user_func() call_user_func_array and made calls consistant per change done in 1.3.0r3. * Fixed Bug #6803: depreciated DB function. Now requires DB >= 1.6.0 * Fixed Bug #6808: Whenever Auth_Container_DB attempts to change the database make sure the connection/DB object exists and is correct before attempting to use the DB quoting features. 1.3.0r4 2006-02-14 PHP License beta This release fixes a security issue that allows an attacker to perform injection attacks against the underlying storage containers. Upgrading is strongly recommended if you are using beta releases of the Auth package. * Improved parameter validation in the DB and LPAP containers. (Patch provided by Matthew Van Gundy.) * Fixed Bug #3101: Wrong variable names in Auth/Container/File.php (mike) * renamed supportsChallengeResponce() to supportsChallengeResponse() in the DB container (quipo) * Fixed Bug #4347: recognition of DB and MDB objects passed as dsn * Fixed Bug #6324: updated MDB2 container * Fixed Bug #5174: "Only variable references should be returned by reference" bug in _factory() * Fixed Bug #2446: english language typos. This results in a BC break for any custom containers that have implemented supportsChallengeResponce(). Also all containers already supportsChallengeResponse() instead of supportsChallengeResponce() and therefore the call in Auth_Frontend_Html always called the default implementation and not the container implementation. 1.3.0r3 2004-08-07 PHP License beta * Moved login screen generation code to Auth/Frontend/Html.php In the future the frontend will be configurable. * Implemented support for Challenge / Responce password authenthication have to enable advanced security $auth->setAdvancedSecurity will work only with DB container and cryptType = none|md5 * Implemented setAllowLogin to control which pages are allowed to perform login, to preservce BC. Previusly the showLogin flag was used to control this - yavo * Implmented lazy loading for the storage constructor, constructor is only created when needed to make Auth more lightweight (this might be adding a bit more overhead to login and usermanagement functions) * Removed include of PEAR, was not used anywhare in Auth.php * Created a new storage container DBLite same as DB but with the user manipulation functions removed (50% smaller) * Added a new method staticCheckAuth which can be called statically with only the auth options * Auth::importGlobalVariable method was removed and replaced by references to global variables * Removed all calls to $session[$this->_sessionName], made local reference session point to that instead * Changed call_user_func to call_user_func_array for the callbacks, to avoid using @ for passing variables by reference * Code Cleanup, removed most vi comments 1.3.0r1 2004-06-04 PHP License beta * Changes to LDAP container: - check for loaded ldap extension at startup as suggested by Markku Turunen - make ldap version configurable via config array - documentation fix for active directory default user container [ 14/Jun/2004 - jw] * Added an Auth_Controller class, to manage automatic redirection to login page and redirect back to the calling page [04/06/2004 - Yavo] * Changes to LDAP container: - additional attribute fetching to authData via new option attributes - utf8 encoding username for ldapv3 (fixes german umlaut problem) - make scope definable for user and group searching seperately - remove useroc, groupoc and replace them with userfilter, groupfilter which is way more flexible - updated documentation on all new and changed parameters As some of the parameters changed this one is not backwards compatible to earlier versions. Look at the top of the class where all parameters are explained in detail. [08/April/2004 - jw] * Added new MDB2 container [30/March/2004 - quipo] * Implements changePassword and CS fixed, patch from Cipriano Groenendal <cipri@cipri.com> [29/March/2004 - yavo] * Added options for changing the post variables, patch supplied by Moritz Heidkamp <moritz.heidkamp@invision-team.de> [03/March/2004 - yavo] * Added method setAdvancedSecurity and set advanced security to off by default, if turned on auth will perform additional security checks if ip or user agent has changed across requests * Login is now performed only if showLogin is true, do not allow for logins to be performed from any page which calls auth->start spotted by Matt Eaton <pear@divinehawk.com> [16/Jan/2004 - yavo] * Fixed bug noted by Jeroen Houben <jeroen@terena.nl>, calling loginFailedCallback would not have the proper status set [16/Jan/2004 - yavo] * Added PEAR container, authenticate the user against the pear web site (probably php.net also) [16/Dec/2003 - yavo] 1.2.3 2003-09-08 PHP License stable * new Method to auth_container getUser() * New Auth_Container_File, using new File_Passwd class. Provided by Michael Wallner <mike@php.net> * Login/Logout callbacks now get a reference to auth * New Login Failed Callback added (method setFailedLoginCallback) * SOAP container patch to keep a reference to the Soap responce by Bruno Pedro <bpedro@co.sapo.pt> * Auth is now installed in /pear-dir/Auth.php instead of /pear-dir/Auth/Auth.php, an empty file /pear-dev/Auth/Auth.php wich includes Auth.php is added for BC * The contaner now gets a reference to the auth object ($auth->storage->_auth_obj) *Some patches from the pear-dev list bellow -maka3d@yahoo.com.br - Patch to use a method of the container in Auth_Container::verifyPassword -Lorenzo Alberton <l.alberton@quipo.it> - Patch to use variable session variable name, untill now the variable auth was used -Marcos Neves <maka3d@yahoo.com.br> - Avaoid error when calling getAuthData() before the login 1.2.2 2003-07-29 PHP License stable * Added support for passing contaner as an object * Added fix when db_fileds is * * Added Test Suite (experimental) * Added generic support for arbitrary password crypting functions different than MD5, DES and plain text. (Patch by Tom Anderson) * Added new MDB storage container written by Lorenzo Alberton * Added new Container for SAMBA password files (SMBPasswd)