Sebastian Göttschkes has a new post to his site showing you how to test secure pages within your Symfony2 applications using a simple "requestWithAuth" method.

If you develop a web application, more often than not you have some kind of user section or admin panel where some kind of login identifies the user and protects your actions against usage from unauthorized people. It can be difficult to do functional tests with this kind of pages as you need to simulate some session or cookie context. In this tutorial, I want to show you how to test your functional pages with symfony2 and phpunit.

He includes a "bad way" to do it, cheating by making a client and feeding it the HTTP auth credentials, and a more correct way involving the "requestWithAuth" method that's called whenever the "request" is called to push those credentials along with every request. Code for this basic function is included.

Chris Hartjes has posted a tutorial about the creation of a simple user registration system in an application developed in the CakePHP framework. In response to the popularity of his other article on using CakePHP's Auth component, he's created a bit of code to answer some questions.

People have been having some questions about how the password is hashed and questions about a user registration system. Of course, the snarky response is "go and read the source for Security::Hash() and create some of your own code", but it is easier to just give people some code so they stop asking.

His example code extends the User object for the model, makes a controller with a register() method call and creates the username/password form for the user the enter in their information.

On the SaniSoft blog, there's a post pointing out a bugfix and a new enhancement to the Auth component for the CakePHP framework in version 1.2 (part 1):

The auth component is supposed to handle the user login in your app but I was just not able to get that done and there have been similar complaints in the CakePHP mailing list. Since I wanted it *NOW* I had no option but to once again dig into the source - but - hey it is not so bad, they give you the code so that you can change it! right?

His patch involves changing code in two places in the AuthComponent::startup() method to handle the login correctly.

WebReference.com has posted part two in their series looking at security techniques in PHP. This time they focus on the use of a few things - the PECL filter, the PEAR Auth module and mcrypt.

For each of the three topics covered, they include a few code examples on their use - an HTML form with the filter extension, user authentication with the PEAR Auth, and encrypting data to be used in a more secure cookie.

The article is excerpted from PHP 5 Advanced: Visual QuickPro Guide by Larry Ullman.

Norbet Mocsnik, having just set it up himself, is sharing the steps needed to get DokuWiki set up and working with a simple authentication system.

I promised to investigate the steps needed to set up DokuWiki with the simplest authentication scheme for a friend and I thought others might benefit from it too, so here it is.

There's about fifteen steps in all, including the download/install of the package and creating the basic functionality (like a simple Auth schema - he gives an example). Create the superuser and set up the desired restrictions and you're home free. If you want more information on authentication in DokuWiki, check out this page on the DokuWiki's wiki.

On the PHP Security Blog, there's three new posts that Stefan Esser has written up that demonstrate some of the more destructive uses of Javascript that he's found:

• JavaScript/HTML Portscanning and HTTP Auth
• Bruteforcing HTTP Auth in Firefox with JavaScript
• JavaScript Scanning and expose_php=On

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".

Going along with the Roadmap update Zend has recently put out about it's Framework, Andi Gutmans has also announced the introduction of more mailing lists to help developers communicate more effectively.

In line with the roadmap email, I'd like to form 8 new mailing lists which will make it easier for people to discuss/participate in subject areas which are of interest to them (actually 7 new ones as docs already exists).

I did think of calling the lists fwdev-* to note them as dev lists but I think it makes more sense to keep them open to the users. I find it very valuable to get users asking questions and commeting on functionality on the dev lists as that's valuable input from the users.

The new mailing lists up and running. They are:

• fw-webservices@
• fw-mvc@
• fw-auth@
• fw-i18n@
• fw-db@
• fw-core@
• fw-formats@

To check out the topics that fall under each category, check out the sections of the roadmap.

If you've ever wanted to quickly and easily connect your PHP script over to a SAP server to authenticate a user but weren't sure quite how, you'll be happy to see that you can use the PEAR::Auth package to make the request - with a little help.

PEAR::Auth is a package that allows you to abstract the user authentication from the main part of your application and not worry about it. What is good about the package is that it comes with different "containers" that allows you to authenticate users against different storages.

So I played around with creating an SAP container that allows you to check users against your company's SAP system and for example build a section of your Internet (or Extranet) page that is only accessible for people and partners that exist as users in the SAP system.

There's an extension to PHP you'll need to get and install, but with that in place, it's as simple as setting the authentication type to "SAP" and giving it the hostname to connect to. He also includes some sample scripts to get you started, including the Auth_Container_SAP class that makes the magic happen.

From the MelbourneChapter.net site, there's an informative post looking at user validation methods, specifically the powerful PEAR::Auth package.

Once we have the user we need to authenticate the details they have submitted. To do this the usual approach is to query a 'user' table in your database to check the corresponding username and password.

This is fine in most situations, but as systems scale we often find that maintaining this user table with current user/passwords can be a lot of trouble. Often in larger systems and organisations usernames and passwords are controlled centrally. This can be in the form of a directory service, such as LDAP. Some situations you may even use a RADIUS, SAMBA, PASSWD style or POP3.

Instead of trying to create all of the above connections, they suggest using the well-established PEAR::Auth package. They even link to a method of getting it installed on a shared hosting platform. TO finish it off, they include a reminder to always asses the security of your application, and suggest keeping an eye on the PHP Security Consortium's SecurityFocus Newsletters for the latest PHP security-related issues.

From Mike's blog today, there's a quick new post detailing an addition to the PEAR::Auth package.

You guessed, I've written a vpop-xmlrpc container for PEAR::Auth.

There's also a new version of the vpop-xmlrpc cgi, which is needed for the Auth container, because the method vpop.auth has recently been added.

PEAR::Auth is a package that provides methods for creating an authentication system using PHP. It currently supports several methods of authentication, including LDAP, plaintext files, RADIUS, and SAMBA password files...