views:

357

answers:

3

I know questions like this have been asked numerous times, but not quite this one. Forgive me if I overlooked an obvious duplicate.

In the core of many of my web applications is a self-written user/session management class that in its origins dates back to 2002. I have decided that it is time for a fundamental re-write or, preferably, the introduction of a ready-made standard library.

My requirements for that library would be:

  • Object oriented, clean, excellent code
  • Full session management: Wrapper to session_start() and consorts
  • Would ideally provide various storage methods (PHP Standard /tmp, database based)
  • Would ideally be able to connect to different types of user data storage, but mySQL will do fine
  • Would ideally provide convenient functions for supporting OpenID, but that's a fancy thought, no requirement right now
  • Methods: Verify session, get user data, get session data, log in user, log out user
  • Settings: Session lifetime, password encryption
  • Must be Open Source

And if it's very generic, a user management API or a generic connector to the user management of the surrounding application would be nice:

  • Create/Update/delete user records
  • Fetch and modify data of currently logged in user

this is so basic, and so security relevant, that I would expect that there is a standard solution to this, however I don't know of any, and all the big CMSs and blogs seem to be rolling their own.

My two questions:

  • Do you know such a component as a generic, stand-alone library?

  • Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?

+1  A: 

There are several OpenID libraries available.

http://wiki.openid.net/Libraries#php

For the rest you might as well roll your own, since figuring out someone else's library would probably be more trouble than it's worth.

sakabako
Thanks for the openID link. Re the rolling my own: a well-documented standard library should be possible to figure out quite quickly. My hope is there is one out there.
Pekka
+2  A: 

Could somebody with deep knowledge in Zend Framework tell me whether it is possible to use Zend_auth and/or Zend_session standalone, at the core of a big application that has otherwise nothing to do with ZF, without running in to trouble?

I don't have deep knowledge of the Zend Framework, but I have used various components (e.g. Zend_Search) without creating a Zend_Application object or using the MVC framework and I am sure the rest of the library is also designed to be totally modular. Last time I dug though the Zend_Session code, I didn't find any includes outside Zend/Session/. A quick google seemed to confirm this for Zend_Auth, along with the Zend FAQ which states:

Is ZF a component library or a framework?
Simple answer: both. Zend Framework provides all the components required for most web applications in a single distribution. But Zend Framework components are also loosely coupled, making it easy to use just a few components in a web application- even alongside other frameworks! Using this use-at-will architecture, we are implementing features commonly found in more monolithic frameworks. In fact, we are currently working on a tooling component for the 1.8 release that will make it simpler to build applications using ZF components, yet will not sacrifice the use-at-will nature of existing ZF components. It's a testament to the use-at-will architecture of Zend Framework that the tooling component itself can be used standalone.

The only thing I had to do when not using Zend_Search with the MVC framework was add the directory where you installed the Zend Framework to the include path due to the includes in the Zend library. The documentation doesn't document the includes you need when not using the Zend Autoloader, but as everything uses the PEAR class naming scheme, it is easy to deduce from the class names you are using. (so the class Foo_Bar_File would require you to include Foo/Bar/File.php )

Yacoby
Thanks for the answer Yacoby. I think I will delve into it and give ZF a try.
Pekka
A: 

My understanding is that there is no standard library because there is no standard definition of what a user is.

In some of my applications, users simply log in to do stuff. In others, users are part of a company and their permissions and data access are limited by the limits of that company and the subscription level paid for by the company. In other applications, some users are admins with access to everything, some users are admins with access to some data (row level), and other users are the clients of those admins, with access only to their own data. Some users are tied to firms/companies/customers, other users are not. Some users are just a username and password, others are a large object graph with clients, order histories, report preferences, comments, etc.

Maybe I'm wrong and there's some clean way of abstracting all of those requirements into a system that doesn't require five layers of subclassing and a thousand DB hits to log someone in. I haven't found it though.

Scott Saunders
I think you read me wrong. I am *not* talking about any kind of access control management. I am talking only about the basic facts: User logs on, User logs out. Maybe, user changes their password. Nothing else. I may be wrong of course, but from my experience this is extremely low-level and should be pretty much standardizable.
Pekka
I suppose I still don't understand. What's the point of logging a user in if that doesn't give you access control? Isn't that what "logged in" means?
Scott Saunders
I only need a generic API that, in essence, tells me who the logged in user is (i.e. which credentials he or she logged in with). The rest (= access control, checking whether they are allowed to do the requested action etc.) would be up to the web application. The API knows only that the user with the ID 123 is logged into the system. It can do things with this user (log them in, log them out...) but nothing else.
Pekka