Scribd
Upload
451 views

PHP Make

This document describes security settings for login and user authentication. It discusses administrator login credentials, options for saving login information in cookies, and features for user IDs, user levels, and advanced security. User IDs secure data at the record level by allowing users to only access their own data. User levels secure data at the table level by granting different permission levels to tables. Advanced security allows setting up dynamic user levels stored in database tables to make user level permissions flexible.

Uploaded by

Pedro Escalano
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
451 views

PHP Make

This document describes security settings for login and user authentication. It discusses administrator login credentials, options for saving login information in cookies, and features for user IDs, user levels, and advanced security. User IDs secure data at the record level by allowing users to only access their own data. User levels secure data at the table level by granting different permission levels to tables. Advanced security allows setting up dynamic user levels stored in database tables to make user level permissions flexible.

Uploaded by

Pedro Escalano
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Security Settings

FieldDescription:
Administrator Login (Hard-Coded) Administratoruseridandpassword
Login Name LoginNameforadministrator
Password Passwordforadminsitrator
Use Existing Table Linktoexistingtableforloginnameandpasswordvalidation
Table Existingtableindatabasecontainingloginnameandpasswordinformation
Login Name Field LoginNamefieldintableusedforauthentication
Password Field Passwordfieldintableusedforauthentication
Login Options
Loginoptionsintheloginpage:
Auto-login-Autologinuntiltheuserlogoutexplicitly
Whenyouenabletheauto-loginfeature,afewcookieswillbeplacedontheuser'scomputertoidentify
theuser,meaningthattheuserdonothavetotypeusernameandpasswordeverytimehe/shevisitthe
Page1of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
site.Forthisreason,youshouldadviseyourusersnottousethisfeatureonapublicorsharedcomputer,
asanyotheruserofthecomputerwillbeabletoaccesstheaccount.

Remember username-Savetheuser'susernameincookie

Always ask-Donotsaveusernameandpassword,alwaysaskforthemintheloginpage

Advanced Security
AdvancedSecurityfeatureallowsyoutosetupUserID,assignUserLevelstousersandcreateacompleteuserregistrationsystem.Tosetup,
clickthe[Advanced] button.
PHPMakersupportstwotypesofsecurity-User IDandUser Level.UserIDSecuritysecuresdataatrecord level.UserLevelSecuritysecures
dataat table level.Theycomplementseachotherandtheycanworkindependentlyortogether.UsersgettheirUserIDandUserLevelafter
login.Beforelogin,anuser'sidentityisunknownandtheuserisanAnonymous User.

Anonymous User
ThepermissionsforAnonymoususersaredefinedinthisform.
StepstosetupAnonymousUserpermissions:
Clickon Anonymous User intheleftpane, 1.
Definethepermissionsforeachtable. 2.

User ID
UserIDSecuritysecuresdataatrecord level.ProtectedtablesmusthaveanUserIDfieldforidentifyingwhichuserarecordbelongsto.The
UserIDfieldnamescanbedifferentintablesthough.WhenUserIDsecurityisenabled,userscanonlyaccesstheirowndata.
Page2of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
StepstosetupUserIDsecurityfordifferenttables/views:
ClickonUser IDintheleftpane.

1.
Selectthe[User ID field]fromyourusertable,thisfieldisusuallytheprimarykeyoftheUserTable.(Note: ifthisfieldisnotset,the
featureisdisabled)

2.
(Optional)Selectthe[Parent User ID field]fromyourusertable.ParentUserIDfieldstorestheparentUserIDthattheuserbelongs
to,parentusercanmodifythechilduser'srecords.ParentUserIDishierarchical,parentuserscanaccesstherecordsownedbythechild
usersoftheirchildusers.(Note: ifthisfieldisnotset,theParentUserfeatureisdisabled.)

3.
Inthe[User ID Field]column,selecttheUserIDFieldforthetables/viewsthatrequiresUserIDsecurity.

4.
(Optional)Enable[Allow View All] ifyouallowallloggedinusers(notincludingAnonymous User)tolist/search/view(butnot
add/copy/edit/delete)allrecordsinthetable.
5.

User Level
UserLevelSecuritysecuresdataat table level.Eachuserlevelisgrantedwithspecificpermissionstotablesinthedatabase.
Thereare2typesofUserLevelsecurity:
1. Static User Levels-theUserLevelsandthepermissionsaredefinedinthisformandtheUserLevelsarenottobechangedafterscript
generation.
Page3of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
StepstosetupstaticUserLevelsecurityfordifferenttables/views:
ClickonUser Levelsintheleftpane, 1.
Selectaninteger fieldinyourusertableasthe[User Level field],(Note: ifthisfieldisnotset,thefeatureisdisabled) 2.
Defineyouruserlevels,click 3. icontheaddanuserleveland icontodeleteanuserlevel.
2. Dynamic User Levels-theUserLevelsandthepermissionsaredefinedin2tablesinthedatabase,theUserLevelscanstillbechangedwith
thegeneratedscripts.
Page4of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
StepstosetupdynamicUserLevelsecurityfordifferenttables/views:
ClickonUser Levelsintheleftpane, 1.
Selectaninteger fieldinyourusertableasthe[User Level field],(note: ifthisfieldisnotset,thefeatureisdisabled) 2.
Switchtothe [Dynamic User Levels]tab,check [Enable Dynamic User Levels], 3.
Selectyour User Level TableandUser Level Permission Tableandtherequiredfields. 4.
TheUser Level TableandUser Level Permission Tablemusthavethefollowingfields,notethedatatypes,UserLevelIDandthePermission
fieldsmustbeofintegertype,thefieldnamescanbedifferentthough:
IfyouwantPHPMakertocreatethese2tablesinyourdatabase,clickthe[Create tables] button,thefollowingformwilldisplayforyouto
changethetable/fieldnamesifnecessary.Youcanchangethetable/fieldnamesandthenclickOKtocontinue.

IfyouhaveprojectscreatedbypreviousversionsofPHPMakeryoumaywanttousedynamicUserLevelsandmigratethepreviouslydefined
staticUserLevelsintheprojecttothedatabase.AfterselectingorcreatingtheUserLevelandUserLevelPermissiontables/fields,justclickthe
[Migrate]buttontoletPHPMakerdothatforyou.
Aftersettingtheuserlevels,PHPMakerwillpopulatetheuserlevelstotheUserLevelfield'sEditTag(alsoseeFieldSetup)soadministrators
canassignuserlevelsusingthegeneratedpages.
Therearetwobuilt-inuserlevels:
Administrator-Administratoruserlevelisabuilt-inuserlevelthathasallpermissionsplustheprivilegestomodifyUserIDsandUserLevels.
Itspermissionsaresameasthatofthehard-codedAdministrator.TheUserLevelIDofAdministratoris-1.
Default-Defaultuserlevelisbuilt-inuserlevelwithuserlevel=0.SinceUserLevelfieldisanintegerfield,ifyousetadefaultvalueof0for
thisfield,thisuserlevelwillbecomethedefaultuserlevelfortheuserafterregistrationandbeforetheAdministratorassigninganotherhigher
userlevel.
ImportantNotesonUserLevels
EvenyouenableallpermissionsforanuserdefinedUserLevel,theUserLevelwillNOTbecomesameasthisAdministratorUser
Level.UserdefinedUserLevelswillnothavethepermissionstomanageusers(althoughparentusershassomecontrolontheirchild
users).
1.
Fromv9,thepermissionsforList/Search/Viewareseparateinnewlycreatedprojects.However,forbackwardcompatibility,the
permissionsforList/View/Searchinconvertedprojects(createdbypreviousversions)arethesameunlessyouhaveenabledSeparate
permssions for List/View/SearchinAdvancedSettings.
2.
Youmayneedtousethehard-codedAdministratorLogintologonandassigndynamicuserlevelstousersinitially. 3.
ItispossibletousesingleloginandcommonDynamicUserLevelsformultipleprojectsprovidedthatALLprojectsusethesame
projectnameandsameAdvancedSecuritytables(i.e.UserTable,UserLevelTableandUserLevelPermissionTable).Ifallprojects
4.
Page5of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
usesthesamedatabaseandsameAdvancedSecuritytables,thenthelatterconditionisautomaticallyfulfilled.However,iftheprojects
usedifferentdatabases,youneedtouseDatabase_Connectingservereventtochangetheconnectioninfosotheusercangetthe
DynamicUserLevelsfromthecommonAdvancedSecuritytablescorrectlyduringlogin.Fortheprojectsnotusingthedatabasewith
thecommonAdvancedSecuritytables,youstillneedtocreatedummyAdvancedSecuritytables(withsametable/fieldnamesasthe
commonAdvancedSecuritytables)intheprojectdatabasesoyoucansetupAdvancedSecurity.

User Login Options


UserLoginOptionsallowsyoutocreateacompleteuserregistrationsystemforyourWebsite,withoptionstoletuserregister,changepassword
andrecoverpassword.
Login
Track failed attempts
Ifenabled,numberoffailedloginattempts(invalidpassword)willbetracked.Ifexceeded,theuser
willbelockedoutandthepasswordmustbereset.

Maximum failed attempts


Themaximumnumberoffailedloginattempts
Failed attempts windows (minutes)
Thetimewindow,inminutes,duringwhichfailedpasswordattemptsaretracked.
Disallow concurrent login
Ifenabled,onlyonesessionisallowedforeachuser(exceptthehard-codedAdministrator).Ifone
userhasalreadyloggedin,otheruserstryingtologinwiththesameusername(andpassword)willbe
rejected.
NoteUsersaredistinguishedbySessionIDasrecognizedbythewebserver.Ifyouloginagainwith
yourPCinanotherwindowofthesamebrowserorinjustanothertabofyourbrowser,youcanstill
Page6of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
login.IfyouloginagainwithanotherbrowseroranotherPC,theSessionIDwillbedifferentandthe
loginwillberejected.
Login status timeout (minutes)
Thenumberofidleminutesafterwhichtheloginstatuswillbeconsideredasloggedoutandlogin
willbeallowedagain.
Ifalogged-inuserdoesnotexplicitlylogout(forexample,closethebrowserdirectly),theuser
sessionisnotclosedandtheuser'sloginstatuswillremainas"loggedin".Attemptstologinagain
willfail.Thistimeoutsettingensuresloginwillbeallowedagainafteraperiodofidletime.

CAPTCHA (requires extension)


Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen..
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
Password
MD5 password
UseMD5password
Notes
IfyouenableMD5password,makesurethatthepasswordsinyourusertablearestoredas
MD5hash(32-characterhexadecimalnumber)ofthecleartextpassword.Ifyoualsouse
case-insensitivepassword,convertthecleartextpasswordstolowercasefirstbefore
calculatingMD5hash.Otherwise,existinguserswillnotbeabletologin.MD5hashis
irreversible,passwordwillberesetduringpasswordrecovery.Notethattheresetpassword
isalsointheformatof16-characterhexadecimalnumber,itisNOTtheMD5hashofthe
oldpassword.
1.
PHPMakerwilltrytodetectsaltedpasswordcreatedbyotherapplication.(PHPMakeritself
doesNOTcreatesaltedpassword.)Ifsalted,thepasswordmustbestoredin
'<hashedstring>:<salt>'format,andthehashedstringmustbethemd5hashofthe
concatenatedstringofthecleartextpasswordandthesalt.Othersaltalgorithmisnot
supported,youcanhowevercustomizethefunctionew_EncryptPassword()inthetemplate
tosuityourapplcation.
2.
Case-sensitive password
Usecase-sensitivepassword
Enable password expiry
Ifenabled,userpasswordwillexpireafteraperiodoftime(exceptthehard-codedAdministrator
password)
Password expiry time (days)
ForusewithEnable password expiry,userpasswordwillexpireafterthespecifiednumberofdays
User Registration Page
Enabled
Generateuserregistrationpageandaddalinkinloginpage.
Fields
Selectfields(fromtheusertable)toshowintheregistrationpage.Clickthe[...]buttontheselectthe
fields.
CAPTCHA (requires extension)
Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen..
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
Confirm before submit
Optionallysendemailconfirmationafterregistration
Send email
Optionallysendemailconfirmationafterregistration
Requires activation
Optionallyrequiresuserclickanactivationlinkintheemailsentafterregistrationtoactivatetheuser
account.
NoteSend emailmustbeenabledforsendingtheemailwithactivationlink.
Auto login after registration/activation
Optionallyauto-logintheuserafterregistrationoractivation.
NoteRequires activationisenabled,theuserisnotactivatedyetafterregistration,autologinwillbe
appliedwhentheuserclickstheactivationlinkintheemail.
Change Password Page
Enabled
Generatechangepasswordpage
Page7of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
Send email
Optionalemailconfirmationafterchangingpassword
CAPTCHA (requires extension)
Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen.
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
Password Recovery Page
Enabled
Generatepasswordrecoverypage(forgotpasswordpage)andaddalinkinloginpage.Username
andpasswordwillbesenttotheuser'semailaddress.
CAPTCHA (requires extension)
Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen.
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
User Table Fields
Email address field Emailaddressfieldinusertableusedforsendingemail
Activated field
Emailactivatedfieldinusertableusedforstoringthestatusofuser.Abooleanfieldis
recommended,althoughanintegerfieldorastringfieldwillalsowork.
Notes
Toenableuseraccountactivation,theRequires activationandSend email optionsunder
User Registration Page mustbechecked.Theuserneedstoclickanactivationlinkinthe
emailsentafterregistrationtoactivatetheuseraccount.
1.
Ifenabled,makesuretheactivatedfieldforexistingusersinyourusertableisupdatedwith
youractivationvalues(e.g.True/False,1/0,Y/N)ortheexistinguserscannotloginbecause
theyarenotrecognizedasactivated.YoucanenableMulti-Updatefeaturefortheusertable
soadministratorscanactivateordeactivateexistinguserseasily.
2.
Profile field
Amemofieldforpersistingalltheadditionaluserinformation.Thisfieldisrequiredifthefollowing
optionsareused:
Track failed attempts
Disallow concurrent login
Enable password expiry

Email Template
Theemailsendingfunctionandtheemailcontentscanbecustomizedinthetemplate.Thefollowingspecialtagsareusedintheemailtemplates:
<!--$From-->issenderemailaddress
<!--$To-->isuseremailaddress
<!--$Password-->isuserpassword
<!--FieldName-->(withoutthe$symbol)isthefieldvalue.
Forexample,<!--LastName-->isthefieldvalueofthefield"LastName".
Theemailformatcanbeeither"TEXT"or"HTML".IfyouuseHTML,changetheline"Format:TEXT"to"Format:HTML"andenterHTML
contentbelowit.
YoucanalsodynamicallychangetheemailbycodeusingEmail_Sendingeventbeforetheemailissent.(SeeServerEventsandClientScripts)

Also See:
Tutorial-UserIDSecurity
Tutorial-StaticUserLevelSecurity
Tutorial-DynamicUserLevelSecurity
Tutorial-UserRegistrationSystem

2002-2014e.WorldTechnologyLtd.Allrightsreserved.
Page8of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...

You might also like