PHP user authentication under IIS

[vetteguy]

I am in need of a way to authenticate users to a website I am creating. It is using php and mySQL running on Windows 2000 and IIS. Part of this system requires people to be able to register with a username and password, and have that information stored in the database so they can log in and access certain functions of the site. All the books on php I have show doing this type of authentication only if you're using Apache. Google has turned up some cryptic things, but nothing that I'm finding terribly useful. Is anyone using this type of setup? If so, what are you doing about authentication? Or is Apache the only way to go? I would use Apache but the people I am building this for run IIS and won't switch. Thanks!

 

[Gaunt]

I am considering building something similar in the very near future, so I'm interested in why this is an issue at all...

If you are only trying to authenticate users against information from your MySQL database, why does it depend on IIS or Apache? Grab the username and password (or password hash) from the form, and compair them against what you've retrieved from the table. That should work under either web server, should it not?

 

[vetteguy]

Originally posted by: Gaunt
If you are only trying to authenticate users against information from your MySQL database, why does it depend on IIS or Apache? Grab the username and password (or password hash) from the form, and compair them against what you've retrieved from the table. That should work under either web server, should it not?

I don't know, that's kind of what I'm asking. The books that I have both use methods that require Apache to get the user environmental variables. If you know of any online information I could reference I would greatly appreciate it.

 

[holycow]

you can still create session, create session variable, get environment variables..etc.. on iis.. they aren't web servers dependent..

 

[vetteguy]

I found a couple sites that told how to do this, but they are all using the ISAPI module for php, which isn't fully supported yet. Plus, I can't get it to run for some reason. I'm going to try more tomorrow, or see if there's any way I can use Apache.

 

[kt]

I don't really see what the big issue here. A couple of people here already told you that it doesn't depend on what platform you are running PHP on. And it doesn't matter if you are running PHP thru ISAPI or thru executable CGI.

You can use MySQL database to store the user's information that you can authenticate against. And PHP session management to keep the user logged in. I've used the same set of PHP code (that includes user authentication) on Apache with PHP and IIS with PHP (thru ISAPI and executable CGI).

 

[vetteguy]

Originally posted by: kt
I don't really see what the big issue here. A couple of people here already told you that it doesn't depend on what platform you are running PHP on. And it doesn't matter if you are running PHP thru ISAPI or thru executable CGI.

You can use MySQL database to store the user's information that you can authenticate against. And PHP session management to keep the user logged in. I've used the same set of PHP code (that includes user authentication) on Apache with PHP and IIS with PHP (thru ISAPI and executable CGI).

Here's a quote from a PHP book about authentication:

$PHP_AUTH_USER and $PHP_AUTH_PW are only available if PHP is installed as an Apache module. If you are working on Windows, you will not be able to use this type of authentication

Taken from MySQL/PHP Database Applications, page 302.

A quote from a website about PHP authentication:

The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version

Further down on the same page:

Also note that this does not work using Microsoft's IIS server and the CGI version of PHP due to a limitation of IIS

These are taken from http://www.zend.com/manual/features.http-auth.php if you don't believe me.

Are you saying that these resources are incorrect? I can find lots more that say the same thing. When it all comes down, I really couldn't care less which version/method I use, I just need to use SOMETHING. That's what I'm trying to find out how to do.

 

[kt]

Easy there, cowboy. I did not claim anything was incorrect in my post. I simply said you may have a user authentication system going regardless of what platforms you are using.. and I still stand by that claim. What you are linking me to is the HTTP Authentication scheme which has nothing to do with what I was suggesting to you use.

If you still think that it's impossible to do user authentication using PHP with MySQL on IIS, that's fine I won't waste my time explaining. But if you do have a change of mind, then do a search on Google using this search string "PHP MySQL user authentication" you'll get enough information to go on or even a ready to go script.

 

[vetteguy]

Yes I've searched on Google, and I've seen db authentication schemes, but they all use the HTTP method of grabbing user names and passwords. I'll just find another way, thanks for your help.

 

[Superwormy]

DON'T USE THAT BOOK.

The book is trying to get you to do somethign different from what you want, it's using the Authentication built into Apache, you want to write your own authentication stuff.


Basically, first make a table in MySQL:
ID, username, password, fname, lname, datetime


Make an HTML form with a spot for a username and password, POST to a PHP script. When the PHP script gets the POST data with the username and password, do a select from db.

SELECT * FROM tablename WHERE username = '$_POST['username']' AND password = $_POST['password']

if ($result) {
set_cookie ("", "", "");
include ("page_that_says_successful_login.htm.php");
} else {
include ("incorrect_username_or_password_page.htm.php");
}


Then, every page from then on checks if that cookie is set, if it is, do njothing, if its NOT SET, forward them back to the login page.
Course thats REALLY simplistic, you should storing the password hashed in the database, setting a timeout for how long cookie lasts, and how long login lasts in db, etc.

Hope that helps!

 

[vetteguy]

Cool, that's the type of thing I've been looking for. Like I said, everything I've seen so far has been using the HTTP authentication even though it's comparing the values to something in a database. kt, is this what you were getting at?

Here's another question though. I have a user registration thing which encrypts the password in the database. Is there an easy way to do the comparison even though it's encrypted? Still learning PHP.

 

[Superwormy]

The standard thing to do is to generate a one-way hash of the password, and store that in the database.

See http://www.php.net/md5


Then, when the user enters their password, md5 what they entered, and compare that to the value in the database. The downside is that you can never un-hash a password, so if they forget, you need to have them entirely reset the password to a new one.

 

[vetteguy]

Originally posted by: Superwormy
The standard thing to do is to generate a one-way hash of the password, and store that in the database.

See http://www.php.net/md5


Then, when the user enters their password, md5 what they entered, and compare that to the value in the database. The downside is that you can never un-hash a password, so if they forget, you need to have them entirely reset the password to a new one.

I will check this out...thanks! Sounds like what I'm looking for.

 

[kt]

Originally posted by: vetteguy
Cool, that's the type of thing I've been looking for. Like I said, everything I've seen so far has been using the HTTP authentication even though it's comparing the values to something in a database. kt, is this what you were getting at?

Here's another question though. I have a user registration thing which encrypts the password in the database. Is there an easy way to do the comparison even though it's encrypted? Still learning PHP.

I think that's what everyone who posted previous to me have been trying to get at. That you don't need to use HTTP authentication, and instead use PHP/MySQL to do user authentication. I am not sure if we were vague about it or not clear, but we did mention several time to use PHP with MySQL database method to accomplish what you needed.

Follow Superwormy's example.. the only thing I would recommend against is using cookie to keep the user logged in. Use session instead.