Project Theseus

[ EpikAuth ]

| Recent Changes | Find Page | All Pages | Front Page | | | Help |

 The EpikAuth Project Page

Table of Contents

    The EpikAuth Project Page
        Online Demo and Application Interface
        EpikAuth Architecture
            The EpikSession class
            The EpikAuth class
            The Application level class
            Client Side Javascript mode


EpikAuth is a set of PHP classes that provide an authentication system for php applications. It currently supports http basic and digest modes and will operate transparently with ssl. EpikAuth can also provide secure authentication in cases where no server side ssl or http digest authentication is available by using client side Javascript token hashing.

All authentication protocols provide optional session persistance in order to avoid constant re-negotiation of login credentials over the net and to provide logging and application state management. Sessions are secured by a "client signature" composed of the client's IP address, hostname and browser user agent. When a session is authenticated, the session signature hash is updated to include the userid. Please remember that this is a Beta version: security is the goal, not a promise!

 Online Demo and Application Interface

An online demo is available that uses EpikAuth's internal login page and test echo password generator. Simple authentication can be added to any page or script with the following code:
require_once("class.epikauth.php");   // include the EpikAuth class
$passedSID = @$_REQUEST["PHPSESSID"]; // get session id (if any) passed in the url
$func = @$_REQUEST["func"];           // get authenticated command function (if any) from the url
$_authenticator = new EpikAuth();    // create an instance of EpikAuth
$auser = $_authenticator->Login('',$passedSID); // login the user... loop on failure

// we get here if authentication succeeds with $auser set to the logged in userid

if ($func == "logout") $_authenticator->Logout();
if ($func == "yourfunc") YourFunc(); // execute authenticated command functions
if ($func == ...
Normal applications will want to add an interface class that extends EpikAuth in order to override the GetPassword and internally generated (and minimally attractive) login, cancel and abort pages. An application interface class would look something like this (under construction):
class AdminOperations extends EpikAuth {
 // constructor parameter points to session storage location
 function AdminOperations($tmpdir) { parent::EpikAuth($tmpdir); } 
 // Ancestor class overrides
 function ShowLoginPage($Caption) { // setup to show your custom login page here}
 function UserCancel() {// setup to show your custom cancel page here }
 function GetPassword($user) { // return $user password from your database or flat file }

 // the following function is called when a secure function is requested from the client
 // or when the url contains a session id (indicating that a prior login has taken place)
 function Execute($SpecifiedUser="", $passedSID, $func) {
  $auser = $this->Login($SpecifiedUser,$passedSID,"JS"); // use javascript authentication
  if (($auser == "") and ($func != "login")) { $this->StopSession(); return; } 
  $sid = $this->GetSessionID();
  switch ($this->pd['func']) {
   case 'setup': $page = 'AdminPage'; break;
   case 'wrprotect': WriteProtect($somefile); $page = 'AdminPage'; break;
   case 'wrenable': WriteEnable($somefile); $page = 'AdminPage'; break;
   case ....
  return $page;
} // class

 EpikAuth Architecture

The overall architecture of EpikAuth is illustrated below.

 The EpikSession class

Two php classes implement EpikAuth. The base class (EpikSession) provides unauthenticated but client specific session management based on two signatures. The client signature is an md5 hash the client's IP address, hostname, browser user agent and the session id. The client signature is then used to create a session signature by hashing it with a server generated time stamp. The time stamp is stored and can also be used for session duration calculations. Since only the hash of the client data and time stamp is stored, the session signature could not be reproduced by observation of the session data in memory. A session can be verified by calling the boolean function VerifySession().

 The EpikAuth class

The EpikAuth class inherits EpikSession and adds secure authentication in two selectable forms. When the Login method is called, the authentication type of HTTP or JS (client side javascript) is passed. Using http relies on the web server's basic or digest authentication mechanism. The most secure mode is digest authentication... if the webserver supports it. Many don't.

 The Application level class

Under Construction

 Client Side Javascript mode

The Javascript mode implements a hashed token passing protocol where the password is never sent over the internet. The client side Javascript is a small and relatively fast hash library that performs an RFC 2104 HMAC hash of a server generated token and the client's password. The hash is returned to the server where it is compared with an identical hash of the token and the server's copy of the password. The outstanding JS hash routines were written by Paul Johnston. SHA-1 is also available as a hash but not implemented here yet. Paul's excellent website is a rich source of additional information. Thanks Paul! Also thanks to Lance Rushing for the fallback in the server side hash routine in case the "mhash" extenstion isn't loaded.


Author: Tom Lisjac <>
Started: November 2, 2003
Version: 0.1 Alpha (under test for first release)
License: LGPL

Last modified on December 6, 2003 at 14:06:10-UTC

Powered by EpikWebsite

This Project is generously hosted by Logo

Page created in 0.016879 seconds