473,320 Members | 1,707 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

extension Class to Auth

I have an extension Class to Auth and I'm looking for some folks to hammer
on it a bit and give feed back.

Class: AuthUser
- add user (well, Auth does that now, so its gone)
- remove user (well, Auth does that now, so its gone)
- change password (well, Auth does that now, so its gone)
- case sensitive ID match - some DBS don't
- limit login attempts (as far as it can go on a browser)
- return to original page after login

next ver will have groups and level handling.

If your interested, please contact me offline.

Thanks

Walter
Jul 17 '05 #1
4 2274
In article <jd*********************@newssvr28.news.prodigy.co m>, jsWalter wrote:
I have an extension Class to Auth and I'm looking for some folks to hammer
on it a bit and give feed back.

Class: AuthUser
- add user (well, Auth does that now, so its gone)
- remove user (well, Auth does that now, so its gone)
- change password (well, Auth does that now, so its gone) - case sensitive ID match - some DBS don't
The place to handle this is in the class that implements Auth and
uses a DB.
- limit login attempts (as far as it can go on a browser)
Perhaps you can log all attempts somewhere, and then count how many
attempts faild. Based on that you can issue a delay...
- return to original page after login


An Authentication class does not need to know about pages. All it
has to do is authenticate users.
--
Tim Van Wassenhove <http://home.mysth.be/~timvw/contact.php>
Jul 17 '05 #2
Tim Van Wassenhove" <eu**@pi.be> wrote in message
news:2i************@uni-berlin.de...
In article <jd*********************@newssvr28.news.prodigy.co m>, jsWalter

wrote:
I have an extension Class to Auth and I'm looking for some folks to hammer on it a bit and give feed back.

Class: AuthUser
- add user (well, Auth does that now, so its gone)
- remove user (well, Auth does that now, so its gone)
- change password (well, Auth does that now, so its gone)

- case sensitive ID match - some DBs don't


The place to handle this is in the class that implements Auth and
uses a DB.


Yes, that was where I orginally "fixed" this.

But the maintainers didn't think it was an issue so my "patch" was denied.

So, I added it to my extension.

- limit login attempts (as far as it can go on a browser)


Perhaps you can log all attempts somewhere, and then count how many
attempts faild. Based on that you can issue a delay...


This count is kept in the session. And if you try to log in before the
"timeout" length is done, you get the same message (or jumo to "your"
message page)

Yes, I understand this is not rock solid security. But, it's a start, and
I'm hoping someone can enlighten me on how to tighten this down a bit more.

- return to original page after login


An Authentication class does not need to know about pages. All it
has to do is authenticate users.


Exactly correct, thus this "extension" to the PEAR::Auth Class. This sits on
top of Auth, which handles the authentication process just fine.

This extension handles the other mundane processes needed to create a site
passed on authentication.

This does not replace Auth, it just adds to it.

So I take it for your comments your not interested in looking at this and
giving constructive comments.

Thanks for your thoughts.

Walter
Jul 17 '05 #3
In article <bz*****************@newssvr33.news.prodigy.com> , jsWalter wrote:
Tim Van Wassenhove" <eu**@pi.be> wrote in message
news:2i************@uni-berlin.de...
Perhaps you can log all attempts somewhere, and then count how many
attempts faild. Based on that you can issue a delay...


This count is kept in the session. And if you try to log in before the
"timeout" length is done, you get the same message (or jumo to "your"
message page)


I suggested to do the counting per account and global on the
server-side. Because, i don't think a hacker will be nice enough to
store your cookie :o)

An Authentication class does not need to know about pages. All it
has to do is authenticate users.


Exactly correct, thus this "extension" to the PEAR::Auth Class. This sits on
top of Auth, which handles the authentication process just fine.

This extension handles the other mundane processes needed to create a site
passed on authentication.

This does not replace Auth, it just adds to it.


Imho, i think you are mistaken here. If you are building a class(1) that
also can redirect etc, you have a has-a relationship with auth.

In the case where you implement the functions of auth, fe using a
database your class(2) has a is-a relationship with auth.

Giving a class(1) with an has-a relationship to class(2). And
your class(2) has an is-a relationship with pear::auth.

--
Tim Van Wassenhove <http://home.mysth.be/~timvw/contact.php>
Jul 17 '05 #4
>Tim Van Wassenhove" <eu**@pi.be> wrote in message
news:2i************@uni-berlin.de...
In article <bz*****************@newssvr33.news.prodigy.com> , jsWalter wrote:
Tim Van Wassenhove" <eu**@pi.be> wrote in message
news:2i************@uni-berlin.de...
Perhaps you can log all attempts somewhere, and then count how many
attempts faild. Based on that you can issue a delay...


This count is kept in the session. And if you try to log in before the
"timeout" length is done, you get the same message (or jumo to "your"
message page)


I suggested to do the counting per account and global on the
server-side. Because, i don't think a hacker will be nice enough to
store your cookie :o)


mm, yes. Another example of my limited knowledge of sessions.

I tried the "standard" Auth example page (I made) with cookies off.

It never got off the login page. I tried hitting a secondary page, it jumped
to login page, and never left it.

I tried the same process with my Auth extension. Same result.

The login limit was never triggered. So, I need to "add" a server side
tracker as well.

thanks for the idea.
An Authentication class does not need to know about pages. All it
has to do is authenticate users.


Exactly correct, thus this "extension" to the PEAR::Auth Class. This sits on top of Auth, which handles the authentication process just fine.

This extension handles the other mundane processes needed to create a site passed on authentication.

This does not replace Auth, it just adds to it.


Imho, i think you are mistaken here. If you are building a class(1) that
also can redirect etc, you have a has-a relationship with auth.


Sorry, you lost me here.

"you have a has-a relationship"

Sorry, I can't grok what this means.

I am building a class that can redirect, check login count (once I fix it),
and will have user access privilege features (soon).

In the case where you implement the functions of auth, fe using a
database your class(2) has a is-a relationship with auth.
My class is built on top of Auth, so Auth can take care of all the
authentication issues and I can focus on the other things.

My current examples use a DB, but, by using Auth, it can handle other
"containers" as well.

Giving a class(1) with an has-a relationship to class(2). And
your class(2) has an is-a relationship with pear::auth.


Ok, I really don't follow this. Sorry.

Thanks for your ideas.

Walter
Jul 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Mark Carter | last post by:
I'm trying to create a mail server in Twisted. I either get SMTPSenderRefused or SMTPException: SMTP AUTH extension not supported by server. What do I need to do to get it to work?
2
by: sam | last post by:
Hi, I've written the following static class definition : #ifndef __AUTH__ #define __AUTH__ #include <iostream> #include <string> #include <fstream>
0
by: dex | last post by:
Hi, I'm trying use a webservice with PHP5 soap extension in WSDL mode. I generated the php classes using wsdl2php. The problem is that 'auth' member of loginRequest (witch is a complex type)...
4
by: stroudg2 | last post by:
Situation: I have been tasked to provide a non-intrusive solution to allow .NET web services to grab an incoming SOAP header and process the credentials stored within in such a way that a...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.