All authentication protocols provide optional session persistance in order to avoid constant re-negotiation of login credentials over the net and to provide logging and application state management. Sessions are secured by a "client signature" composed of the client's IP address, hostname and browser user agent. When a session is authenticated, the session signature hash is updated to include the userid. Please remember that this is a Beta version: security is the goal, not a promise!
An online demo is available that uses EpikAuth's internal login page and test echo password generator. Simple authentication can be added to any page or script with the following code:
Normal applications will want to add an interface class that extends EpikAuth in order to override the GetPassword and internally generated (and minimally attractive) login, cancel and abort pages. An application interface class would look something like this (under construction):require_once("class.epikauth.php"); // include the EpikAuth class $passedSID = @$_REQUEST["PHPSESSID"]; // get session id (if any) passed in the url $func = @$_REQUEST["func"]; // get authenticated command function (if any) from the url $_authenticator = new EpikAuth(); // create an instance of EpikAuth $auser = $_authenticator->Login('',$passedSID); // login the user... loop on failure // we get here if authentication succeeds with $auser set to the logged in userid if ($func == "logout") $_authenticator->Logout(); if ($func == "yourfunc") YourFunc(); // execute authenticated command functions if ($func == ...
The overall architecture of EpikAuth is illustrated below.
Two php classes implement EpikAuth. The base class (EpikSession) provides unauthenticated but client specific session management based on two signatures. The client signature is an md5 hash the client's IP address, hostname, browser user agent and the session id. The client signature is then used to create a session signature by hashing it with a server generated time stamp. The time stamp is stored and can also be used for session duration calculations. Since only the hash of the client data and time stamp is stored, the session signature could not be reproduced by observation of the session data in memory. A session can be verified by calling the boolean function VerifySession().
Author: Tom Lisjac <email@example.com>
Started: November 2, 2003
Version: 0.1 Alpha (under test for first release)
Powered by EpikWebsite
This Project is generously hosted by