堆栈内存溢出
  简体   繁体   English

我可以在 Apache 的帮助下实现一个透明的、基于 PHP 的身份验证层吗?

[英]Can I implement a transparent, PHP-based authentication layer with Apache's help?

 原文  2011-07-07 13:43:20       php/ apache/ authentication

问题描述

Background背景

I'm looking for a transparent, PHP-driven authentication layer for a web site.我正在为 web 站点寻找一个透明的、PHP 驱动的身份验证层。

I'm aware of the following simple approaches:我知道以下简单的方法:

HTTP Authentication HTTP认证

Mechanics:力学:

  • Apache controls access rights; Apache 控制访问权限;
  • Attempts to access any file in a given directory transparently require HTTP auth if not already authed.尝试访问给定目录中的任何文件透明地需要 HTTP 身份验证(如果尚未经过身份验证)。

Downsides:缺点:

  • Limited configuration options;有限的配置选项;
  • Difficult to integrate with existing user database;难以与现有用户数据库集成;
  • No control over visual presentation of login prompt.无法控制登录提示的视觉呈现。

PHP-based login基于PHP的登录

Mechanics:力学:

  • PHP controls access rights; PHP 控制访问权限;
  • Attempts to access any file explicitly built for the system if not already authed will result in redirection to a login page.尝试访问为系统显式构建的任何文件(如果尚未经过身份验证)将导致重定向到登录页面。

Downsides:缺点:

  • If I forget to write the required include "login_required.inc.php";如果我忘记写所需include "login_required.inc.php"; or similar at the top of any PHP file, that file will be accessible by anybody.或任何 PHP 文件顶部的类似文件,任何人都可以访问该文件。

What I want我想要的是

I'd like to implement the PHP-based login solution , but to somehow configure Apache to invoke login_required.inc.php (or similar) transparently as an intermediate step when any PHP file is requested.我想实现基于 PHP 的登录解决方案,但以某种方式配置 Apache 以调用login_required.inc.php (或类似的)透明地作为中间步骤,当请求任何 Z2FEC392304A5C23AC138DA22847 文件时

This script will:该脚本将:

  • run;跑;
  • check session variables;检查 session 变量;
  • tell Apache either "yes, produce the requested page" or "no, redirect to the login page";告诉 Apache “是,生成请求的页面”或“否,重定向到登录页面”;
  • not require code to be inserted at the top of every PHP script that requires authentication.不需要在每个需要身份验证的 PHP 脚本的顶部插入代码。

Is this a pipe dream?这是 pipe 的梦想吗? Or can I do it?或者我能做到吗? And if so, how?如果是这样,怎么办?

4 个解决方案

解决方案1
 3 已采纳  2011-07-07 13:56:34

If you rewrite all php requests through index.php, index.php/php would then control access to anything.如果您通过 index.php 重写所有 php 请求,则 index.php/php 将控制对任何内容的访问。

RewriteRule ^(.*)$ /index.php?pageid=$1 [QSA,L]

Something like that will push any request to index.php, in which you can do your authentication and then it will farm out the content...类似的东西会将任何请求推送到 index.php,您可以在其中进行身份验证,然后它将内容分流出来......

The QSA in this will retain any query string parameters etc.其中的 QSA 将保留任何查询字符串参数等。

解决方案2
 2  2011-07-07 13:55:29

I think you should restructure you website to use a Front Controller .我认为您应该重组您的网站以使用Front Controller There's a reason that pretty much every framework uses the FrontController pattern: single point of access makes your app simpler.几乎每个框架都使用 FrontController 模式是有原因的:单点访问使您的应用程序更简单。

解决方案3
 1  2011-07-07 13:49:21

One possibility is to use .htaccess ModRewrite to redirect all requests to, say, login_required.php?redirect=<ORIGINALLY-REQUESTED-SCRIPT> .一种可能性是使用.htaccess ModRewrite将所有请求重定向到,例如login_required.php?redirect=<ORIGINALLY-REQUESTED-SCRIPT>

login_required.php can then perform its magic and do one of the following: login_required.php然后可以执行其魔术并执行以下操作之一:

  • Present a login form出示登录表格
  • include <ORIGINALLY-REQUESTED-SCRIPT> . include <ORIGINALLY-REQUESTED-SCRIPT>
    • Note that a header("Location: <ORIGINALLY-REQUESTED-SCRIPT>)";请注意, header("Location: <ORIGINALLY-REQUESTED-SCRIPT>)"; will, I believe, merely fall foul of the .htaccess again and cause an infinite redirect loop!我相信,只会再次与.htaccess并导致无限重定向循环! Setting the .htaccess ModRewrite directive to only conditionally redirect based on the value of HTTP_REFERER is not secure enough..htaccess ModRewrite指令设置为仅基于HTTP_REFERER的值有条件地重定向是不够安全的。

This is not the preferred solution , but it's a possibility...不是首选解决方案,但有可能......

解决方案4
 1  2011-07-07 13:53:52

Another possibility:另一种可能:

Have only a single entry-point.只有一个入口点。 Just one file that's accessible from the outside world, like index.php?target=<REQUESTED-SCRIPT> .只有一个可以从外部世界访问的文件,例如index.php?target=<REQUESTED-SCRIPT> This one file can contain the authentication logic and include the required script.这一文件可以包含身份验证逻辑并include所需的脚本。

All other files would be blocked from external access by .htaccess , or simple file permissions. .htaccess或简单的文件权限将阻止所有其他文件进行外部访问。

This is a good solution, but it would be a large change to update all URLs throughout the existing system .这是一个很好的解决方案,但是要更新整个现有系统中的所有URL 将是一个很大的变化

Edit Apparently this is called the "Front Controller" pattern.编辑显然这被称为“前端控制器”模式。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将基于PHP的Facebook会话转移到Javascript? - How can I transfer a PHP-based Facebook session to Javascript? 是否有基于PHP的Python的鼻子实现? - Is there a PHP-based implementation of Python's Nose? 如何在基于PHP的Heroku应用中添加HTTP身份验证? - How do I add HTTP authentication to a PHP-based Heroku app? 我可以将完整的MySQL DB从基于PHP的站点移动到Django应用程序吗? - Can I move complete MySQL DB from PHP-based site to a Django application? 我可以在基于PHP的网站上使用npm安装Fabric.js吗? - Can I install Fabric.js using npm for a PHP-based site? 我无法弄清楚我的基于 PHP 的上传程序中缺少什么 - I can't figure out what is missing in my PHP-based upload program 基于PHP的搜索框架 - PHP-based search frameworks 基于PHP的图像处理器可以上传上传的图像吗? - PHP-based image processor that can be fed uploaded images? 如何从非基于PHP的AJAX应用程序中使用基于PHP的身份验证? - How to use PHP-based authentication from non-PHP based AJAX app? 如何借助php在Google文档/电子表格上实现基于时间的身份验证 - how to implement time based authentication on google doc/spreadsheet with the help of php
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM