doujia2090 2013-12-09 12:45
浏览 35

创建安全认证/授权模型

I am looking for some advice on how to create a secure authentication/authorization model for my application. I am writing this for CakePHP but would like to be able to take this model to any application. If I could get opinions on my model and how to make it better, I would really appreciate it. This is what I have:

Each view that I want to protect has the following code it its controller:

$getUser= $this->Session->read('get_logged_user');
if($getUser == null){
            //no credentials, redirect
            $this->render('../Elements/User/login');

        }else{
            if($getUser->isAuthenticated==false){
                //not authenticated
                $this->render('../Elements/User/login');
            }else{
              //its ok, show the page.  if needs to check roles, iterate of the roles array
        }
      }

Essentially, I check to see if the correct session is available. If its not, they never logged in so redirect to the login page. If so, check authorization. My session is a class made up of the following: First/last name, user name, an array of roles, and isAuthenticated boolean. When the user logs in to my app, this object is created and put into session. The class authenticates against a database and pulls back all essential info on the user (name, roles, etc). The roles can be further used by the app to determine what the user can and cannot see and interact with. When the user clicks the "log out" button, this session object get destroyed.

Is this method secure? Should I also be using tokens or something? If more code is needed, let me know and I can post it. I know cakePhp has a security plugin but I would rather create my own from scratch.

Thanks!

  • 写回答

1条回答 默认 最新

  • dtuct88226 2013-12-10 05:33
    关注

    So... you want to reinvent the wheel? Sure, go ahead. I just want to tell you a heads up.

    First, let's start with something really basic. I would not copy/paste that code in every action, instead, place this in your AppController.

    public function beforeFilter() { //called in all your controller actions
    parent::beforeFilter();
    $mySession = $this->Session->read('yourSession');
    if ($mySession === null) {
        $this->render('something');
        return;
    }
    if (!$mySession->isAuthenticated()) {
        $this->render('login');
        return;
    }
    //the rest of your logic
}

    This approach is very basic, you might want to wrap this in a component so you can use it in another application, or you can even create a plugin, which is the best solution in this case.

    If you don't want to enter into the internals of Auth then you can take a look at the Users Plugin we did in CakeDC.

    Another advise (not related to the logic of Authentication) is, take care of coding conventions. They make your code easier to read and understand. Also, try to return early and avoid nesting your conditionals.

    My best wishes in your learning process.

    评论

报告相同问题?

悬赏问题

  • ¥15 目详情-五一模拟赛详情页
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 unity第一人称射击小游戏,有demo,在原脚本的基础上进行修改以达到要求
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b