Content.exe
This is a very quick way to add password protection to a controller such as a cms controller.
This code intercepts the login within the init() method of your chosen controller, if they are logged in they are free to go, if not they are required to login, the form is rendered and validated against the access model.
The session is obfuscated to deter tampering.
so firstly in your controller init() add
$adminSession = new Zend_Session_Namespace('Admin');
$this->access = new Application_Model_accessControl(); // access control
// logged in user
$loginMsg = 'Please login';
$loginForm = new Zend_Form;
$loginForm
->setMethod('post')
->setAttrib('id','login')
->addElement('text','user',array('label'=>'Username','required'=>true))
->addElement('password','pass',array('label'=>'Password','required'=>true))
->addElement('submit','Login');
if ($this->getRequest()->isPost() && $loginForm->isValid($_POST)){
$session = $this->access->validateUser(
$loginForm->getValue('user'),
$loginForm->getValue('pass')
);
if ($session){
$adminSession->loggedInSession = $session;
$adminSession->loggedInUser = $loginForm->getValue('user');
}
$loginMsg='Access denied';
}
if (!$this->access->sessionIsValid($adminSession->loggedInSession) || !$adminSession->loggedInUser){
$this->view->header=$loginMsg;
$this->view->content = $loginForm;
$this->render('login');
} else {
// renew session, will always be the "Now" session, but three are provided, see the model
$adminSession->loggedInSession = $this->access->getValidSession();
$this->view->userIdent = $adminSession->loggedInUser;
}
$this->view->userIdent will always contain the logged in user
The next step is to create the model for authentication in models/accessControl.php
setUsers(
array(
'password1'=>'admin',
'password2'=>'admin'
)
);
// salt for session key
$this->setSalt('MySaltGoesHere1234');
}
public function validateUser($username, $password){
/*
* return session if correct, null otherwise
*/
$users = $this->getUsers();
if (isset($users[$password]) && $users[$password]==$username){
return $this->getValidSession();
}
}
public function sessionIsValid($session,$debug=false){
$validSessions = $this->getValidSessions();
if ($debug){
echo "MY KEY: $session
KEYS: ".print_r($validSessions,true);
}
return in_array($session, $validSessions) ? true : false;
}
public function getValidSessions(){
$sessions = array(
$this->getValidSession('past'),
$this->getValidSession('now'),
$this->getValidSession('future')
);
return $sessions;
}
public function getValidSession($for='now'){
/*
* Three sessions are provided,
*
* past, now and present
*
* past, person logs in at 11:59 spends ten minutes editing, clicks save at 12:09, past would be the valid session
* now, person is logged in during 11:00 - 11:59
* future, is provided encase of time travel, or if the british summer time kicks in while editing, unlikely but more is better than not enough...
*/
$hour = intval(date('H'));
switch($for){
case 'past' :
$validSession = ($hour-1) < 0 ? 23 : $hour-1;
break;
case 'now' : default:
$validSession = $hour;
break;
case 'future' :
$validSession = ($hour+1) > 23 ? 0 : $hour+1;
break;
}
/*
* obsfucation
*/
// firstly grab specific details to stop session hijacking
$ip = $_SERVER['REMOTE_ADDR'];
$browser = $_SERVER['HTTP_USER_AGENT'];
// then mix it up and md5 it
$validSession = $ip.$validSession.$this->getSalt().$browser;
if (!getenv('APPLICATION_ENV')){
$validSession = md5($validSession);
}
return $validSession;
}
public function setUsers($users){
$this->users = $users;
}
public function getUsers(){
return $this->users;
}
public function setSalt($salt){
$this->salt = $salt;
}
public function getSalt(){
return $this->salt;
}
}
and finally create a view login.phtml (this is just bare bones)
{$this->header}"; ?>
content; ?>
Thats it!