How to add user authentication to an application

Do not use any versions of phpPeanuts before 1.4.beta1 for applications that require user authentication based on cookies. These versions of phpPeanuts are vurnerable to cross site scripting that may allow third parties to steal the cookies that are used for authentication.

The simplest way to add user authentication to an application may be to use the facilities of the web server you are using. See your web server documentation for how to set up a username/password list and limit access to a folder. If you use a hired web server account from hosting provider, there will probably be a convenient user interface for this.

Alternatively you may use the authentication plugin that will be availbale for phpPeanuts 1.4.beta1. It can authenticate users by username and password and may be used to authorize users by their roles for access and actions on applications or types. It comes with an administation application and basic classes for User, UserRole and UserGroup. It extends example 13 with voluntary authentication and an example implementation of SecurityManager for authorization. The SecurityManager in the admin class may be used as another (simpeler) example.

The PntxUser and PntxUserGroup classes of the authentication plugin are kept to a minimum implementation of role based security. If you need to administer more user date or adapt the user(group) behavior, you can do so on the User and UserGroup classes in the admin classFolder. For example the credentials of a UserGroup is by default only one, the value of the 'code' property of the UserGroup. For access to the admin application that is 'ADM'. For example 13 the credential is 'DEMO'. If you need multiple credentials per group you can override the PntxUserGroup::hasCredential method on UserGroup and make it check agains a list of credentials or a string with multiple credentials.

Authentication itself is implemented by the PntxSessionAuthenticator class. It uses $_SESSION to keep track of authenticated user sessions and may be extended for custom authentication. Its 

PntxUserAuthenticator extends it with the authentication of users and checking their credentials. It may be extended for custom user authentication and the use of other User classes the those that come with the administation application. To activate your own Authenticator make your SecurityManager::initAuthenticator method use your own class instead of PntxUserAuthenticator.

Authentication on its own is of little use as the default authorization SecurityManager allows everybody to do everything. See how to control what kinds of users can see and do what.

PS. The authentication plugin relies on PHP's session to store its information for the  authentication of users after they are logged in. To prevent session ids to be leaked through urls, consiter to ini_set('session.use_only_cookies', '1'); Also consider to take additional measures to secure session content from other application running on the same physical server or to store authentication information in a safer place.