[英]PHP authentication - members area versus extra content on public page
I'm trying to think out my user authentication system for a site in development and have read many of the posts on stack overflow and elsewhere to get my head around this. 我正在尝试为开发中的站点考虑用户身份验证系统,并阅读了堆栈溢出和其他地方的许多文章,以解决这个问题。 I found a couple of options I was wondering if this one looks like a decent starting point:
我发现了几个选项,我想知道这是否像一个不错的起点:
http://php.about.com/od/finishedphp1/ss/php_login_code_6.htm http://php.about.com/od/finishedphp1/ss/php_login_code_6.htm
It appears to encrypt the passwords and avoid some of the obvious pitfalls. 它似乎可以加密密码并避免一些明显的陷阱。
Also, perhaps a silly question, but I want to use the authentication for 2 reasons: 1. To provide the user with some extra functionality on an otherwise public page. 同样,这也许是一个愚蠢的问题,但是出于两个原因,我想使用身份验证:1.在其他公共页面上为用户提供一些额外的功能。 (Think "Hello [username]" at the top of the page).
(在页面顶部考虑“ Hello [用户名]”)。
2. Provide user access to private pages also. 2.还提供用户对私人页面的访问权限。
These 2 types of applications (login = added stuff on public page versus login=access to private page) are reliant on the same authentication, right? 这两种类型的应用程序(登录=在公共页面上添加的内容与登录=对私有页面的访问)都依赖于相同的身份验证,对吗?
In other words, whether I wanted to do one or the other or both shouldnt' impact how I think about authentication, correct? 换句话说,我是否想做一个或另一个,或两者都不应该影响我对身份验证的看法,正确吗?
Please let me know if I'm asking for trouble by using an about.com tutorial for this.... 请使用about.com教程来告诉我是否有麻烦。
Thanks in advance. 提前致谢。
FOLLOW UP EDIT: Ok, so the about.com tutorial has some holes. 跟进编辑:好的,因此about.com教程有一些漏洞。 I found a more complete system below that appears to use SHA1 encryption instead.
我在下面找到了一个更完整的系统,该系统似乎改用SHA1加密。 This also has an email verification for new users and some other nice functionality.
它还具有针对新用户的电子邮件验证以及其他一些不错的功能。 At first glance, does this seem like a solid route to take?
乍一看,这似乎是一条可靠的路线吗?
http://www.unlimitedtree.com/topic/1503-tutadvanced-login-member-system-php-tutorial/ http://www.unlimitedtree.com/topic/1503-tutadvanced-login-member-system-php-tutorial/
Yes, you are asking for trouble. 是的,您正在寻求麻烦。 There are several reasons why I would avoid the about.com approach :
为什么要避免about.com方法有几个原因:
Security is a complex topic. 安全是一个复杂的话题。 I recommend you to use well tested authentication and authorization solutions as provided by established frameworks.
我建议您使用已建立的框架提供的经过良好测试的身份验证和授权解决方案。 Also think about OpenID .
还考虑一下OpenID 。
A few PHP frameworks and their auth components: 一些PHP框架及其身份验证组件:
Concerning your question: 关于您的问题:
In other words, whether I wanted to do one or the other or both shouldnt' impact how I think about authentication, correct?
换句话说,我是否想做一个或另一个,或两者都不应该影响我对身份验证的看法,正确吗?
Yes. 是。 You have to differentiate between Authentication and Authorization .
您必须区分身份验证和授权 。 The former helps you to identify who the user is and the latter helps you to find out what the user is allowed to do.
前者可以帮助您确定用户是谁,后者可以帮助您找出允许用户执行的操作。 Read this short introduction to learn about the topic.
阅读此简短介绍,以了解该主题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.