Do not use any versions of phpPeanuts before 2.1 for applications that require user authentication based on cookies. These versions of phpPeanuts are vurnerable to cross site scripting that may allow third parties to steal the cookies that are used for authentication.
The simplest way to add user authentication to an application may be to use the facilities of the web server you are using. See your web server documentation for how to set up a username/password list and limit access to a folder. If you use a hired web server account from hosting provider, there will probably be a convenient user interface for this.
For more control you can activate your own Authenticator by making your SecurityManager::initAuthenticator method use your own Authenticator class. Authentication on its own is of little use as the default authorization SecurityManager allows everybody to do everything. See how to control what kinds of users can see and do what.
Alternatively the authentication extension is availbale for phpPeanuts 1.4.beta1 and higher. It is no longer available as a free download but can be obtained by paying customers of MetaClass and developers that have made a substantial contribution to the development of the framework and its extensions.
It can authenticate users by username and password and may be used to authorize users by their roles for access and actions on applications or types. It comes with an administation application and basic classes for User, UserRole and UserGroup.
PS. The authentication plugin relies on PHP's session to store its information for the authentication of users after they are logged in. To prevent session ids to be leaked through urls, consiter to ini_set('session.use_only_cookies', '1'); Also consider to take additional measures to secure session content from other application running on the same physical server or to store authentication information in a safer place. |