'web developpement made easier'

Home

F.A.Q.

Documentation

Links

Download

Contact us

Introduction

Installation

Using templates

Using php variables

Calling a php function

The 'func' keyword

Loops

Database access

Handling conditions

Authentification

Authentification

bZ provides some useful function to automate access control on web pages. All necessary functions are included in the bzmain.php file, which should be part of every project.

The system uses extensively the session functions available in php > 4. The mecanism proposed here is secure, easy to use, and should be of help in several situations.

All the authentification data is stored on a table (names of the database and the table are specified in bz.conf) which contains the following fields (varchar(32), see the DATABASE.txt file in the distribution):

user_login : the login of the user
user_password : his password
user_class : his class or classes. In the case of several values, they should be comma-separated : (user_class = "home,work,tennis").
user_id : his id in the authentification table.

On any page you require authentification, the classes that are allowed to see the page should be written in the perms field (separated by commas):

{ bz:page style="common.html" perms="home,school" }

Entering the page, the user will be prompted his login data, the form being in the login.php file so as to be user customizable.

Once logged, the user_id is kept as session variable and while the authentification rights are enough, nothing else is asked until the end of the session. In case you want to delog the user, call any php page with function "userLogout" : home.php?func=userLogout.

In case you have a good reason to log the user without the login page, call any page where authentification is required with the bz_user_id set to the good id :

secret.php?bz_user_id=32423AE3423432FAF

Since the user_id consists in the md5 encryption of a random string, it is almost impossible to gess the user_id of any user of the website. This mecanism should be secure and flexible enough for any requirement.

For configuration of the database, see the configuration section.

Some administration pages are provided in bZ's package (in the site/source/admin), to make the entry of new users easier. They could be a good start for the real pages of your website, showing the use of authentification functions defined in bzmain.php. Their code is provided below to show a mix of bZ's features in a real context.

index.php :

lists the authentification table and provides links to add a new user, change password or perms of any user, and logout.

<html>
<body>
{ bz:page perms="admin" }
<table border="1">
<b>
<tr><td>user_login</td><td>user_password</td><td>user_class</td><td>user_id</td></tr>
</b>
{ bz:list query="select * from auth" }
<tr><td><a href="changepass.php?user_id={ $user_id}&user_login={ $user_login}" > { $user_login} </a> </td><td>{ $user_password}</td><td>{ $user_class}</td><td>{ $user_id}</td></tr>
{ bz:endlist}
</table>

<a href="newuser.php" >Add user</a>
<a href="index.php?func=userLogout" >Logout</a>

{ bz:endpage}
</body>
</html>

changepass.php :

forms to change a few user characteristics.

<html>
<title>
Change password...
</title>
<body>
{ bz:page perms="admin" }
<h1> User : { $user_login} </h1>

<table>

<form action="index.php" >
<tr><td>New Password</td><td><input type="password" name="user_password" /></td></tr>
<tr><td></td><td><input type="submit" value="Change password" /></td></tr>
<input type="hidden" name="user_id" value="{ $user_id}" />
<input type="hidden" name="func" value="chPwd" />
</form>

<form action="index.php" >
<tr><td>New Class</td><td><input type="text" name="user_class" /></td></tr>
<tr><td></td><td><input type="submit" value="Change class" /></td></tr>
<input type="hidden" name="user_id" value="{ $user_id}" />
<input type="hidden" name="func" value="chClass" />
</form>

</table>
{ bz:endpage}
</body>
</html>

Thanks to

for hosting. webmaster : bzsoft@free.fr