CHAPTER 14 ?– AUTHENTICATING YOUR USERS 371
File-based Authentication
Often you need to provide each user with a unique login pair, making it possible to
log user-specific login times, movements, and actions. This is easily accomplished
with a text file, much like the one commonly used to store information about Unix
users (/etc/passwd). Listing 14-3 offers such a file. Each line contains a username and
an encrypted password pair, with the two elements separated by a colon (:).
Listing 14-3. The authenticationFile.txt File Containing Encrypted Passwords
jason:60d99e58d66a5e0f4f89ec3ddd1d9a80
donald:d5fc4b0e45c8f9a333c0056492c191cf
mickey:bc180dbc583491c00f8a1cd134f7517b
A crucial security consideration regarding authenticationFile.txt is that this file
should be stored outside the server document root. If it is not, an attacker could
discover the file through brute-force guessing, revealing half of the login combination.
In addition, although you have the option to skip password encryption, this
practice is strongly discouraged, because users with access to the server might be
able to view the login information if file permissions are not correctly configured.
The PHP script required to parse this file and authenticate a user against a given
login pair is only a tad more complicated than the script used to authenticate against
a hard-coded authentication pair.
Pages:
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449