Category Archives: php

Zend Server vs Xampp

Now that Zend Server has had its public beta release I thought it was finally worth a installation to see what its all about. One of the main differences between this and xampp that jumped out at me was there was a Mac version to download along side Linux (rpm and dem) and Windows. There will be two version of the product to be called the ‘Community Edition’ and the standard commercial version. The commercial version comes with monitoring capabilities and additional Zend modules (page cache and data cache).

After the initial download of around 50mb for windows with comes with a nice installer to take care of everything. It then I realised I hadn’t downloaded everything yet and more modules need to be added before installing such as MySQL. There was also other option like a Java Bridge, Zend Framework (with or without dojo) and various other database adaptors.

After a 5 minutes everything was done. The apache web service monitor appeared which confirmed it was running. Icons now appeared in my program folder so I went ahead and click on ‘Zend Service’. Also worth noting that it also had Links to apache, MySQL service programs and to the htdocs.

Up loaded a web page taking me to the control panel. Everything looked a bit more flashy and provided similar links as xampp to phpmyadmin, a phpinfo file and the status of various services. You are reminded in various places that you only have the free version which is a little irritating. With the links provided you have easy access to the root folder and setting up passwords on MySQL.

Its really done exactly what it said it would do and i encountered no problems installing it. Less experienced users may bit a little confused when it comes choosing which components to install. It does however lack some features that xampp comes with such as SQLite and perl. There is also no centralised management tool like the xammp control panel to easily start and stop apache and MySQL. This is a real shame as this just makes xampp so easy to use.

Related links

http://www.zend.com/en/products/server/downloads

http://devzone.zend.com/article/4272-Zend-announces-public-beta-of-a-new-product-Zend-Server

http://www.apachefriends.org/en/xampp.html

Persistent sessions with PHP

Persistent sessions is a set of mechanisms created in php that allow authentication to persist across multiple browser sessions (ie closing down the browser). Any session variables you set in php are destroyed and cant be used in further sessions. This means annoyingly that your users must then sign into you site again. Their are some security issues you must be aware of when implementing a system like this.

Persistent sessions weakens the security of your web site, issues like it being accessed on a public computer (you could add a tick box to be remembered) or if you hold security sensitive information. Its a trade off between usability and security. You could even implement a two step security system where by for example you may trust the user to carry out certain procedures from a persistent session such as adding a item to a wish list but require full password validation for procedures such as purchasing a item from a stored credit card number or changing passwords.

When thinking about how to create a system is seems tempting enough just to store the username and password in the cookie and read them off when the user comes back to the web site and automatically log them in. This is bad very idea. A potential hacker could easily gain access to this information and replay it back to your server and gain unauthorised access.

The cookie is the only way standard way to persist data across multiple sessions. So we must store information in this cookie that will provide us with the information in the future to re authenticate the user. Clearly is a security risk so the best we can do is store information that will only be useful for a certain period of time. It would be inadvisable to provide any with permanent access this way.

In the cookie we are going to store 2 pieces of information, a hash code representing the username, we’ll call this a identifier and a key (or token) that is valid only for certain period of time and is regenerated after one use. To create a hash of the username we could do something like this:

$salt = "pAulR2";
$identifier = md5( $salt . md5($username . $salt ) );

This should be stored in your database alongside your other user details. Remember to always to use some form of ‘salt‘ when creating hash’s. This is just a string that is known only to your application and kept secret. This insures that people cant use rainbow tables or take a few educated guesses to reverse the hash.

Next we must create a key (or token), this will be like our temporary password, valid for a certain period of time. We just need a long a string that isn’t predictable. One could be generated like this:

$key = md5(uniqid(rand(), true);

Again we would need to store this in the database and associate it to the correct user along with another field recording the time span for which it is valid.

Outline Example

Ok, you’ve authenticated your users username and password and they’ve indicated that they wish to remain logged in for one week.

// This examples assumes you have already connected to a MySQL database
$salt = "pAulR2";
/*
  You must create a identifier for every user and store it in the database prior implementing this.
  $identifier = md5( $salt . md5($username . $salt ) );
*/
// retrieve the $identifier from the database, I'm going to assume its in a variable called
// $user['identifier']
$identifier = $user['identifier'];

// create a random key
$key = md5(uniqid(rand(), true);
// calculate the time in 7 days ahead for expiry date
$timeout = time() + 60 * 60 * 24 * 7;

// Set the cookie with information
setcookie('authentication', "$identifier:$key", $timeout);
// now update the database with the new information
$result = mysql_query("UPDATE `user` SET key = '$key', timeout = '$timeout'
WHERE username = '$username'");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

Right that takes care of setting the cookie but know we must authorise it when its been detected when the user comes back to the site. On the users first visit you need to implement code like the following:

$salt = "pAulR2";

if (isset($_COOKIE['authentication'])) {
    // cookie is set, lets see if its vailed and log someone in
    $clean = array();
    $mysql = array();

    $now = time();

    list($identifier, $token) = explode(':', $_COOKIE['authentication']);
    if (ctype_alnum($identifier) && ctype_alnum($token)) {
	$clean['identifier'] = $identifier;
	$clean['key'] = $key;

	$mysql['identifier'] = mysql_real_escape_string($clean['identifier']);

	$result = mysql_query("SELECT * FROM user
                                       WHERE identifier = '{$mysql['identifier']}'");
	if (mysql_num_rows($result)) {
		$record = mysql_fetch_assoc($result);
		if ($clean['key'] != $record['key']) {
			// fail because the key doesn't match
		}elseif ($now > $record['timeout']){
			// fail because the cookie has expired
		}elseif ($clean['identifier'] != md5($salt.md5($record['userID'].$salt))){
			// fail because the identifiers does not match
		}else{
			/*
                          Success everything matches, now you can process
                          your login functions. The key must be re generated
                          for the next login. But don't increase the timeout to
                          ensure that the user must login in once the time
                          period has passed.
                       */
	        }
	}
	}else {
			/* failed because the information is not in the
                            correct format in the cookie */
        }
}

And remember once you have finished with the cookie delete it!

Sources: Essential PHP Security