2. PHPRunner General questions
  3. [SOLVED]  Confused by PHPR login security
This topic is locked
[SOLVED]

 Confused by PHPR login security

 		11/9/2012 02:47:05
PHPRunner General questions
F
 Flyarbox author

So...I get the sense that PHPR has a handy user login security/validation system, but I'm having trouble fully understanding it. I've definitely not found any kind of cookbook that takes me through creating a login infrastructure and how it's applied to every screen we might present to the users of our created apps.
My app is your basic web database app model: it will face the public, all of whom will have the same priviledges or lack thereof. All the info they enter will be specific to them individually. There will be a cloud of support tables for utility data (countries, states, etc) which they use to select foreign key ids into their own data. Users log in once, and their id (user identity) has to follow them to every page and reside as a field in each table where ownership must be tracked (with some exceptions as when it's in a master table but does not need to percolate down into detail tables...)
Things I THINK I know so far about how PHPR does logins:

  1. There are multiple login models to choose from; I choose to have login information in a database table.
  2. We're free to create our own table with the login info in it. We just have to make sure it has the necessary fields PHPR needs and we have to communicate that info to PHPR in the relevant screens.
  3. PHPR will gen up a "login.php" page for our logging in needs.
    At this point I get vague.
  4. How does the login info the user enters get validated against the database?
  5. How does the login info get propagated around all the pages of the genned web app and into all the background SQL (where it might very well be needed in WHERE clauses, as an example)?
  6. How does the genned web app know to use encryption for the password field in the user login table? (Note: this forum item [http://www.asprunner.com/forums/topic/15692-encrypt-and-decrypt-data-in-the-database-with-phprunner-5-3/], item number 4 says "If your application uses a login page and password is encrypted as well you need to implement BeforeLogin event to decrypt the password." But section 2.14.8 of the 6.1 version of the manual says we can encrypt fields using PHPR inbuilt incryption. Do we really have to implement encrypted passwords with event code? Or has that changed since the forum entry was posted two years ago?)
  7. How does the information in the user login table get into the $_SESSION variables? Do we put it there by hand? Or does login.php populate $_SESSION variables for us?
  8. Do the $_SESSION variables play a role as the user moves from page to page in the genned web app with respect to logged in users? (So deep linking into specific pages gets blocked for unlogged-in users?)
    Thanks for any clarifications on all this, or any tips on where to go to read more (other than in the manual on security, which I've already read.)
    Steve
Sergey Kornilov admin 11/9/2012

All the things you mentioned PHPRunner does automatically. It validates username/password against your login table, restricts access to certain pages if required. All session variables are updated automatically. All you need to do is to select options in PHPRunner wizard.
In regards to password encryption - PHPRunner 5.3 didn't have this feature and you had to do this manually. PHPRunner 6.1 has built-in encryption (par of Enterprise Edition). Again, it does it automatically for based on options selected on PHPRunner security screen.
F
 		Flyarbox author 11/9/2012

I only have the Standard Edition (all I could afford). I'm assuming this means that I must still do encrypted fields/passwords manually?
Sergey Kornilov admin 11/9/2012

PHPRunner 6.1 has password encryption built-in. Security screen, User Login settings, Encrypt passwords.
You can do this manually as well if you need to.