Skip to main content.

Sunday, September 19, 2004

Login/Logout

This article explains how Nucleus handles logins/logouts, and how it checks if the current visitor is a logged in site member.

Ingredients

The ingredients needed by Nucleus login/logout system are:

  1. In the database, for each site member:
    • A user name, used to login
    • A password, of which the md5 hash is stored. The original password is never stored, and can thus never be recovered if forgotten (except for brute force).
    • A cookiekey, which is a random string that gets created when a user logs in. Its used for cookie authentication.
  2. On the client side, in the use cookies:
    • A user cookie, containing the user name (same one as in database)
    • A cookiekey cookie, containing the same key as stored in the database.
    • A sharedpc cookie

Login

When you fill out a name and password in the Nucleus login form and hit the 'Login' button, the request is sent back to Nucleus. The request is always sent back to the same page, whether the login form was on a site page or the admin area. A hidden action variable is passed along, containing the value login. The admin area login form can also pass extra variables for the original request. The original action is passed as oldaction, so it can be executed immediately after the login succeeds.

The login is always handled in the same way: inside the code of globalfunctions.php which is executed at each request.

  1. Create the global $member object.
  2. Get login, password and shared variables out of request.
  3. Use the $member->login($login, $password) code to check the validity of the login. The check basically comes down to md5($password)==$dbpassword.
  4. When the login was successfull, a new cookiekey is generated ($member->newCookieKey()) and is stored in the database. After that, the client cookies are set using the $member->setCookies($shared) method. The $shared attribute is the value of the 'shared pc' checkbox, and results in cookies that are destroyed on the end of the session.
  5. When available, the oldaction variable is copied into action, so the admin area can execute the correct action.

On Each Request

Once logged in, each request causes user validation. This is done in the same piece of code in globalfunctions.php:

  1. Create the global $member object.
  2. Get the username and cookiekey from the user cookie.
  3. Use $member->cookielogin($user, $key) to login.
  4. On success, update the stored cookies.

Logout

Logging out consists of simply sending an action parameter of logout to any page generated by Nucleus. once again, the same piece of code comes into action:

  1. Create the global $member object.
  2. Set empty user and cookiekey cookies, and set their expiration time somewhere in the past.

Using global $member object

As a result of the previous code, a global $member object is available during the generation of any Nucleus page. It's available after the config.php file has been included, which is basically from the very start.

Main methods of intrest are:

Method Description
isLoggedIn() Evaluates to true when the user is logged in.
isAdmin() Evaluates to true when the user is a superadmin.
isBlogAdmin($blogid) Evaluates to true when the user is a blog admin (explicit).
isTeamMember($blogid) Evaluates to true when the user is on a blog team (explicit).
blogAdminRights($blogid) Evaluates to true when the user is a blog admin, or is a superadmin.
teamAdminRights($blogid) Evaluates to true when the user is on a blog team, or is a superadmin.
canAlterItem($itemid) Evaluates to true when the user is allowed to edit an item.
canAlterComment($commentid) Evaluates to true when the user is allowed to edit a comment.

Problems

Some known problems:

  • When you log in from one computer, you're logging out yourself from any other computer. This is because the a new cookiekey gets created at login time, invalidating the cookiekey in the cookie on the other computer.
  • When installing multiple Nucleus installations on the same site (e.g. in a subdirectory), it's quite hard to find the correct cookie settings to use.
  • When other software is installed on the same server, the cookie names (user and cookiekey) can easily collide with cookies used by other software.
  • Currently (v3.1), a superadmin is disallowed to edit comments/items unless he's the author or he's a blog admin.

Planned enhancements/changes in CVS

  • A configurable cookie prefix should prevent cookie names to collide with other software installed on the server, and should make installing multiple Nucleus installations on the same site more easy. (bug 1008171, included in CVS)
  • The canAlterComment and canAlterItem methods should return true for super admins also. (bug 1016217, included in CVS)
  • A way to allow logins from more than one computer at a time. (feature request 933588)
  • Re-enable external authentication (it was present for a while in CVS before 2.5beta). In this mode, plugins are doing the authentication. This can be useful when you want to allow e.g. forum users to become Nucleus members as well. (feature request 1026856)

Posted by karma at 15:01:29. Filed under: Inside Nucleus

Comments

No comments yet

Add Comment

This item is closed, it's not possible to add new comments to it or to vote on it

Previous Item - Archives - Next Item