If you develop a web application, more often than not you have some kind of user section or admin panel where some kind of login identifies the user and protects your actions against usage from unauthorized people. It can be difficult to do functional tests with this kind of pages as you need to simulate some session or cookie context. In this tutorial, I want to show you how to test your functional pages with symfony2 and phpunit.

He includes a "bad way" to do it, cheating by making a client and feeding it the HTTP auth credentials, and a more correct way involving the "requestWithAuth" method that's called whenever the "request" is called to push those credentials along with every request. Code for this basic function is included.

People have been having some questions about how the password is hashed and questions about a user registration system. Of course, the snarky response is "go and read the source for Security::Hash() and create some of your own code", but it is easier to just give people some code so they stop asking.

His example code extends the User object for the model, makes a controller with a register() method call and creates the username/password form for the user the enter in their information.

The auth component is supposed to handle the user login in your app but I was just not able to get that done and there have been similar complaints in the CakePHP mailing list. Since I wanted it *NOW* I had no option but to once again dig into the source - but - hey it is not so bad, they give you the code so that you can change it! right?

His patch involves changing code in two places in the AuthComponent::startup() method to handle the login correctly.

For each of the three topics covered, they include a few code examples on their use - an HTML form with the filter extension, user authentication with the PEAR Auth, and encrypting data to be used in a more secure cookie.

The article is excerpted from PHP 5 Advanced: Visual QuickPro Guide by Larry Ullman.

I promised to investigate the steps needed to set up DokuWiki with the simplest authentication scheme for a friend and I thought others might benefit from it too, so here it is.

There's about fifteen steps in all, including the download/install of the package and creating the basic functionality (like a simple Auth schema - he gives an example). Create the superuser and set up the desired restrictions and you're home free. If you want more information on authentication in DokuWiki, check out this page on the DokuWiki's wiki.

• JavaScript/HTML Portscanning and HTTP Auth
• Bruteforcing HTTP Auth in Firefox with JavaScript
• JavaScript Scanning and expose_php=On

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".

In line with the roadmap email, I'd like to form 8 new mailing lists which will make it easier for people to discuss/participate in subject areas which are of interest to them (actually 7 new ones as docs already exists).

I did think of calling the lists fwdev-* to note them as dev lists but I think it makes more sense to keep them open to the users. I find it very valuable to get users asking questions and commeting on functionality on the dev lists as that's valuable input from the users.

The new mailing lists up and running. They are:

• fw-webservices@
• fw-mvc@
• fw-auth@
• fw-i18n@
• fw-db@
• fw-core@
• fw-formats@

To check out the topics that fall under each category, check out the sections of the roadmap.

PEAR::Auth is a package that allows you to abstract the user authentication from the main part of your application and not worry about it. What is good about the package is that it comes with different "containers" that allows you to authenticate users against different storages.

So I played around with creating an SAP container that allows you to check users against your company's SAP system and for example build a section of your Internet (or Extranet) page that is only accessible for people and partners that exist as users in the SAP system.

There's an extension to PHP you'll need to get and install, but with that in place, it's as simple as setting the authentication type to "SAP" and giving it the hostname to connect to. He also includes some sample scripts to get you started, including the Auth_Container_SAP class that makes the magic happen.

Once we have the user we need to authenticate the details they have submitted. To do this the usual approach is to query a 'user' table in your database to check the corresponding username and password.

This is fine in most situations, but as systems scale we often find that maintaining this user table with current user/passwords can be a lot of trouble. Often in larger systems and organisations usernames and passwords are controlled centrally. This can be in the form of a directory service, such as LDAP. Some situations you may even use a RADIUS, SAMBA, PASSWD style or POP3.

Instead of trying to create all of the above connections, they suggest using the well-established PEAR::Auth package. They even link to a method of getting it installed on a shared hosting platform. TO finish it off, they include a reminder to always asses the security of your application, and suggest keeping an eye on the PHP Security Consortium's SecurityFocus Newsletters for the latest PHP security-related issues.]]> Tue, 04 Apr 2006 07:29:22 -0500 http://www.phpdeveloper.org/news/4277 http://www.phpdeveloper.org/news/4277 Mike's blog today, there's a quick new post detailing an addition to the PEAR::Auth package.

You guessed, I've written a vpop-xmlrpc container for PEAR::Auth.

There's also a new version of the vpop-xmlrpc cgi, which is needed for the Auth container, because the method vpop.auth has recently been added.

PEAR::Auth is a package that provides methods for creating an authentication system using PHP. It currently supports several methods of authentication, including LDAP, plaintext files, RADIUS, and SAMBA password files...]]> Fri, 11 Nov 2005 05:40:19 -0600