Authpear.php.netCreating an authentication system.The PEAR::Auth package provides methods for creating an authentication
system using PHP.
Currently it supports the following storage containers to read/write
the login data:
* All databases supported by the PEAR database layer
* All databases supported by the MDB database layer
* All databases supported by the MDB2 database layer
* Plaintext files
* LDAP servers
* POP3 servers
* IMAP servers
* vpopmail accounts (Using either PECL vpopmail or PEAR Net_Vpopmaild)
* RADIUS
* SAMBA password files
* SOAP (Using either PEAR SOAP package or PHP5 SOAP extension)
* PEAR website
* Kerberos V servers
* SAP serversMartin JansenMJmj@php.netnoYavor Shahpasovyavoyavo@siava.orgnoAdam Ashleyaashleyphp@adamashley.nameyesJames E. Flemerjflemerjflemer@acm.jhu.edunoAdam Harveyaharveyaharvey@php.netyes2010-10-261.6.41.5.0stablestablePHP License
Fix baseinstalldir
4.3.31.4.0b1Logpear.php.net1.9.10File_Passwdpear.php.net1.1.0Net_POP3pear.php.net1.3.0DBpear.php.net1.6.0MDBpear.php.netMDB2pear.php.net2.0.0RC1Auth_RADIUSpear.php.netCrypt_CHAPpear.php.net1.0.0File_SMBPasswdpear.php.net1.0.0HTTP_Clientpear.php.net1.1.0SOAPpear.php.net0.9.0Net_Vpopmaildpear.php.net0.1.0vpopmailpecl.php.net0.2vpopmailkadm5pecl.php.net0.2.3kadm5imapsaprfcsoap1.2.21.2.2stablestable2003-07-29PHP License
* Added support for passing contaner as an object
* Added fix when db_fileds is *
* Added Test Suite (experimental)
* Added generic support for arbitrary password crypting functions
different than MD5, DES and plain text. (Patch by Tom Anderson)
* Added new MDB storage container written by Lorenzo Alberton
* Added new Container for SAMBA password files (SMBPasswd)
1.2.31.2.3stablestable2003-09-08PHP License
* new Method to auth_container getUser()
* New Auth_Container_File, using new File_Passwd class. Provided by Michael Wallner <mike@php.net>
* Login/Logout callbacks now get a reference to auth
* New Login Failed Callback added (method setFailedLoginCallback)
* SOAP container patch to keep a reference to the Soap responce by Bruno Pedro <bpedro@co.sapo.pt>
* Auth is now installed in /pear-dir/Auth.php instead of /pear-dir/Auth/Auth.php, an
empty file /pear-dev/Auth/Auth.php wich includes Auth.php is added for BC
* The contaner now gets a reference to the auth object ($auth->storage->_auth_obj)
*Some patches from the pear-dev list bellow
-maka3d@yahoo.com.br - Patch to use a method of the container in Auth_Container::verifyPassword
-Lorenzo Alberton <l.alberton@quipo.it> - Patch to use variable session variable name, untill now the variable auth was used
-Marcos Neves <maka3d@yahoo.com.br> - Avaoid error when calling getAuthData() before the login
1.3.0r11.3.0r1betabeta2004-06-04PHP License
* Changes to LDAP container:
- check for loaded ldap extension at startup as suggested by Markku Turunen
- make ldap version configurable via config array
- documentation fix for active directory default user container
[ 14/Jun/2004 - jw]
* Added an Auth_Controller class, to manage automatic redirection to login page and redirect back
to the calling page [04/06/2004 - Yavo]
* Changes to LDAP container:
- additional attribute fetching to authData via new option attributes
- utf8 encoding username for ldapv3 (fixes german umlaut problem)
- make scope definable for user and group searching seperately
- remove useroc, groupoc and replace them with userfilter, groupfilter which is way more flexible
- updated documentation on all new and changed parameters
As some of the parameters changed this one is not backwards compatible to earlier versions.
Look at the top of the class where all parameters are explained in detail.
[08/April/2004 - jw]
* Added new MDB2 container [30/March/2004 - quipo]
* Implements changePassword and CS fixed, patch from Cipriano Groenendal <cipri@cipri.com>
[29/March/2004 - yavo]
* Added options for changing the post variables, patch supplied by Moritz Heidkamp <moritz.heidkamp@invision-team.de>
[03/March/2004 - yavo]
* Added method setAdvancedSecurity and set advanced security to off by default, if turned on auth will perform additional
security checks if ip or user agent has changed across requests
* Login is now performed only if showLogin is true, do not allow for logins to be performed from any page which calls auth->start
spotted by Matt Eaton <pear@divinehawk.com> [16/Jan/2004 - yavo]
* Fixed bug noted by Jeroen Houben <jeroen@terena.nl>, calling loginFailedCallback
would not have the proper status set [16/Jan/2004 - yavo]
* Added PEAR container, authenticate the user against the pear web site
(probably php.net also) [16/Dec/2003 - yavo]
1.3.0r31.3.0r3betabeta2004-08-07PHP License
* Moved login screen generation code to Auth/Frontend/Html.php
In the future the frontend will be configurable.
* Implemented support for Challenge / Responce password authenthication
have to enable advanced security $auth->setAdvancedSecurity
will work only with DB container and cryptType = none|md5
* Implemented setAllowLogin to control which pages are allowed to perform login,
to preservce BC. Previusly the showLogin flag was used to control this - yavo
* Implmented lazy loading for the storage constructor, constructor is only created when needed
to make Auth more lightweight (this might be adding a bit more overhead to login and usermanagement functions)
* Removed include of PEAR, was not used anywhare in Auth.php
* Created a new storage container DBLite same as DB but with the user manipulation functions removed (50% smaller)
* Added a new method staticCheckAuth which can be called statically with only the auth options
* Auth::importGlobalVariable method was removed and replaced by references to global variables
* Removed all calls to $session[$this->_sessionName], made local reference session point to that instead
* Changed call_user_func to call_user_func_array for the callbacks, to avoid using @ for passing variables by reference
* Code Cleanup, removed most vi comments
1.3.0r41.3.0r4betabeta2006-02-14PHP License
This release fixes a security issue that allows an attacker to perform
injection attacks against the underlying storage containers. Upgrading
is strongly recommended if you are using beta releases of the Auth
package.
* Improved parameter validation in the DB and LPAP containers. (Patch
provided by Matthew Van Gundy.)
* Fixed Bug #3101: Wrong variable names in Auth/Container/File.php (mike)
* renamed supportsChallengeResponce() to supportsChallengeResponse()
in the DB container (quipo)
* Fixed Bug #4347: recognition of DB and MDB objects passed as dsn
* Fixed Bug #6324: updated MDB2 container
* Fixed Bug #5174: "Only variable references should be returned by reference"
bug in _factory()
* Fixed Bug #2446: english language typos.
This results in a BC break for any custom containers that have implemented
supportsChallengeResponce(). Also all containers already
supportsChallengeResponse() instead of supportsChallengeResponce() and
therefore the call in Auth_Frontend_Html always called the default
implementation and not the container implementation.
1.3.0r51.3.0r5betabeta2006-02-21PHP License
* Fixed Bug #2873: Allow calling programs to gracefully handle being unable
to connect/bind to LDAP server.
* Fixed Bug #4918: Added support to specify which authentication method to
prefer when authenticating against a POP3 backend.
* Fixed Bug #6644: Added support for LDAP_OPT_REFERRALS. Setting to false can
improve compatibility with Active Directory.
* Fixed Bug #6791: Made all calls to call_user_func() call_user_func_array and
made calls consistant per change done in 1.3.0r3.
* Fixed Bug #6803: depreciated DB function. Now requires DB >= 1.6.0
* Fixed Bug #6808: Whenever Auth_Container_DB attempts to change the database
make sure the connection/DB object exists and is correct before attempting to
use the DB quoting features.
1.3.0RC61.3.0RC6betabeta2006-02-22PHP License1.3.0RC71.3.0RC7betabeta2006-03-01PHP License
This release is primarily a coding standard clean-up before the 1.3.0 final
release.
In addition the following improvements to the LDAP Container where supplied
by Hugues Peeters <hugues.peeters@claroline.net>.
* Changed default attrformat to AUTH so that loaded attributes are
presented in the same format as other backends provide.
* Added compatibility support to 1.2 style configuration options
* Attributes option now accepts a comma seperated string as well as
as array the same as db_fields in the DB, MDB and MDB2 backends.
Finally there are additional checks that the relevant PHP module is loaded
when loading the IMAP and VPOPMail Containers.
1.3.01.3.0stablestable2006-03-03PHP License
This is the final stable release of Auth 1.3.0. This version contains many new
features over previous versions. Summary of changes:
* New MDB2 container [30/March/2004 - quipo]
* New PEAR container, authenticate against pear.php.net [16/Dec/2003 - yavo]
* New Advanced Security mode to catch man-in-the-middle attacks.
* Added options for changing the post variables, patch supplied by Moritz
Heidkamp <moritz.heidkamp@invision-team.de>
* New DBLite container, same as DB but with the user manipulation functions
removed (50% smaller).
* Split login form to Auth_Frontend_HTML with goal to make it easily
customisable.
Numerous other small fixes and improvements to all storage containers thanks
to the following people: Matt Eaton, Jeroen Houben, Cipriano Groenendal,
Markku Turunen, Matthew Van Gundy, marc at practeo dot ch and I'm sure many
others that have contributed over the years it's taken to get this release
out.
1.3.1RC11.3.1RC1betabeta2006-08-11PHP License
This release candidate is test the numerous fixes described below. It is also
to get feedback on the change made for Bug #8407. Bug #8407 adds automatic
quoting of table and field names used in SQL in the Database backends.
* Fixed Bug #7031: session_regenerate_id() not cleaning up old session storage.
Fix for this bug in PHP5.1.0+ has been done, still a problem in older versions
of PHP.
* Fixed Bug #7421: Allow false to be passed in for allowLogin and advancedSecurity
options.
* Fixed Bug #7434: Enable start_tls support for LDAP Container by Stuart Prescott
<php.net@nanonanonano.net>
* Fixed Bug #7537: Made File Container capable of using all File_Passwd backends.
* Fixed Bug #7841: Added missing </center>. Really the whole frontend needs
reworking.
* Fixed Bug #7860: Removed deprecated session_register call.
* Fixed Bug #7899: sessionValidThru() returning incorrect value when no idle
timeout set.
* Fixed Bug #7956: Session handling had several security bugs before PHP4.3.3.
Bumped PHP dependancy so we don't have to deal with them.
* Fixed Bug #8076: MDB & MDB2 Containers not using default db_fields values
* Fixed Bug #8351: Documentation of $loginFailedCallback pointed to incorrect
set function.
* Fixed Bug #8406: Error message updates by Adam Harvey <pear@adamharvey.name>
* Fixed Bug #8407: Database containers don't quote table/field names by Adam
Harvey <pear@adamharvey.name>
1.3.11.3.1stablestable2006-08-21PHP License
* Fixed Bug #7031: session_regenerate_id() not cleaning up old session storage.
Fix for this bug in PHP5.1.0+ has been done, still a problem in older versions
of PHP.
* Fixed Bug #7421: Allow false to be passed in for allowLogin and advancedSecurity
options.
* Fixed Bug #7434: Enable start_tls support for LDAP Container by Stuart Prescott
<php.net@nanonanonano.net>
* Fixed Bug #7537: Made File Container capable of using all File_Passwd backends.
* Fixed Bug #7841: Added missing </center>. Really the whole frontend needs
reworking.
* Fixed Bug #7860: Removed deprecated session_register call.
* Fixed Bug #7899: sessionValidThru() returning incorrect value when no idle
timeout set.
* Fixed Bug #7956: Session handling had several security bugs before PHP4.3.3.
Bumped PHP dependancy so we don't have to deal with them.
* Fixed Bug #8076: MDB & MDB2 Containers not using default db_fields values
* Fixed Bug #8351: Documentation of $loginFailedCallback pointed to incorrect
set function.
* Fixed Bug #8406: Error message updates by Adam Harvey <pear@adamharvey.name>
* Fixed Bug #8407: Database containers don't quote table/field names by Adam
Harvey <pear@adamharvey.name>
1.3.21.3.2stablestable2006-08-31PHP License
* Fixed Bug #8524: Notice from attempting to perform string operation on what
might be an array in DB, DBLite, MDB and MDB2. Thanks to dozoyousan at gmail
dot com.
* Remove debug message from RADIUS Container when using CHAP_MD5 or MSCHAPv1
style passwords. Thanks to Stoyan Stefanov <ssttoo at gmail dot com> for
pointing out this 3yr old bug.
2006-09-111.4.0RC11.4.0betastablePHP License
* Added new SOAP container that makes use of the PHP5 SOAP Client. Thanks to
Marcel Oelke <puRe at rednoize dot com>. Fixes #2612.
* Added support for trying all the user accounts returned from an LDAP server
not just the first one so as to support authenticating against Lotus Notes
which allows identical usernames where the only difference is the password.
Fixes #5365.
* Added new Array container for simple authentication setups where it's easier
to list users in the file than setup some sort of backend. Thanks to
georg_1 at have2 dot com. Fixes #5832.
* Added KADM5 container that makes use of the PECL kadm5 extension to
authenticate against Kerberos 5 servers. Thanks to Andrew Teixeira
<ateixeira at gmail dot com>. Fixes #6671.
* Fixed #8597. Remove references to $GLOBALS['HTTP_*_VARS'] now that we require
PHP 4.3.3+ for other reasons.
* Added SAP container that makes use of the SAPRFC extension available from
http://saprfc.sourceforge.net/. Thanks to Stoyan Stefanov <ssttoo at gmail dot com>.
Fixes #8637.
* Fix #8599. Allow identifier quoting in DB, DBLite, MDB and MDB2 backends to
be switched off by developer.
2006-09-211.4.0RC31.4.0betastablePHP License
* Fix Bug #8732: Auth_Container_DB having problems with SQLite databases.
SQLite returns the name of quoted field names including the quotes instead
of stripping the quotes like all other DBs.
* Fix Bug #8735: Auth_Container_File::addUser() working on different instances
of File_Passwrd object.
2006-10-201.4.01.4.0stablestablePHP License
* Added new SOAP container that makes use of the PHP5 SOAP Client. Thanks to
Marcel Oelke <puRe at rednoize dot com>. Fixes #2612.
* Added support for trying all the user accounts returned from an LDAP server
not just the first one so as to support authenticating against Lotus Notes
which allows identical usernames where the only difference is the password.
Fixes #5365.
* Added new Array container for simple authentication setups where it's easier
to list users in the file than setup some sort of backend. Thanks to
georg_1 at have2 dot com. Fixes #5832.
* Added KADM5 container that makes use of the PECL kadm5 extension to
authenticate against Kerberos 5 servers. Thanks to Andrew Teixeira
<ateixeira at gmail dot com>. Fixes #6671.
* Fixed #8597. Remove references to $GLOBALS['HTTP_*_VARS'] now that we require
PHP 4.3.3+ for other reasons.
* Added SAP container that makes use of the SAPRFC extension available from
http://saprfc.sourceforge.net/. Thanks to Stoyan Stefanov <ssttoo at gmail dot com>.
Fixes #8637.
* Fix #8599. Allow identifier quoting in DB, DBLite, MDB and MDB2 backends to
be switched off by developer.
* Fix Bug #8732: Auth_Container_DB having problems with SQLite databases.
SQLite returns the name of quoted field names including the quotes instead
of stripping the quotes like all other DBs.
* Fix Bug #8735: Auth_Container_File::addUser() working on different instances
of File_Passwrd object.
2006-10-281.4.11.4.0stablestablePHP License
* Forgot to add Auth/Container/Array.php to package2.xml.
2006-11-101.4.21.4.0stablestablePHP License
* Fixed Bug #9241: Callback functions where being passed a copy of
the login object instead of a reference to it under PHP4.
* Fixed Bug #9286: Comparison of passwords and their hashes could give
false positive.
2006-12-061.4.31.4.0stablestablePHP License
* Fixed Bug #9380: Default Auth_Container_POP3 configuration not
working.
* Fixed Bug #9407: Add callback in checkAuth() process.
* Fixed Bug #9479: Typo in Auth_Container_KADM5::_checkServer causes
failure. Thanks to Matt T. Proud (khanreaper at nerp dot net).
2007-01-171.5.0RC11.5.0betastablePHP License
* Completed Request #2229: Ability to attach fall through containers. This
is implemented through the use of a new container Auth_Container_Multiple.
See multi-container.php in examples directory.
* Completed Request #4126: Enhancements to Advanced Security Mode. Thanks
to makler at man dot torun dot pl.
* Completed Request #6949: Use Log package for debugging messages. See logging.php
in examples directory.
* Completed Request #7089: Add optional extra WHERE options to DB and MDB(2)
containers.
* Add ability to pass an instanciated DB, MDB or MDB2 database connection to each
of the respective Auth Containers.
2007-02-021.5.0RC21.5.0betastablePHP License
* Fixed Bug #9944: Logging constants not defined when logging disabled.
* Fixed Bug #10000: Stupid developer didn't stop to look what he was doing
and broke things.
* Fixed Bug #10004: Logging of connection failures in LDAP container missing.
2007-02-131.5.01.5.0stablestablePHP License
* Completed Request #2229: Ability to attach fall through containers. This
is implemented through the use of a new container Auth_Container_Multiple.
See multi-container.php in examples directory.
* Completed Request #4126: Enhancements to Advanced Security Mode. Thanks
to makler at man dot torun dot pl.
* Completed Request #6949: Use Log package for debugging messages. See logging.php
in examples directory.
* Completed Request #7089: Add optional extra WHERE options to DB and MDB(2)
containers.
* Fixed Bug #9944: Logging constants not defined when logging disabled.
* Fixed Bug #10000: Stupid developer didn't stop to look what he was doing
and broke things.
* Fixed Bug #10004: Logging of connection failures in LDAP container missing.
2007-03-231.5.11.5.0stablestablePHP License
* Added missing optional dependancy on PEAR Log to package.xml
* Fixed Bug #10125: Auth_Container_LDAP::fetchData only fetching attributes for
first entry.
2007-06-121.5.21.5.0stablestablePHP License
* Feature Request #10729: Optionally regenerate session id on every page request.
Thanks to Bernhard for patch.
* Fixed Bug #10785: Notice when Auth::logout() called with a login callback
defined but no user logged in. Suggested fix thanks to Sascha Grossenbacher.
2007-07-021.5.31.5.0stablestablePHP License
* Fixed Bug: If Auth::setSessionName() is called new session name variable is
not initialised so checks for session storage fail.
* Fixed Bug #11396: Auth_Container_Pear doesn't work with latest changes to
pear.php.net. Fix by Adam Harvey.
* Fixed Bug #11476: SOAP5 container's _validateOptions() and _setDefaults()
functions where setting options into the wrong object parameter. Thanks to
Köles Mihály for fix.
2007-07-021.5.41.5.0stablestablePHP License
* Fixed Bug #11499: Redundant parameter in Auth_Container_SOAP5::_validateOptions()
definition. Thanks to Koles Mihaly for spotting this.
2008-04-041.6.01.5.0stablestablePHP License
* Fixed Bug #12112: Advanced Security Cookie has different settings to
session cookie.
* Implemented Request #13337: New vpopmail container utilising Net_Vpopmaild.
Patch supplied by Bill Shupp (shupp)
* Implemented Request #13418: Karma support for PEAR Container. Patch supplied
by Christian Weiske (cweiske).
* Added correct debug message for when no login has occured instead of session
storage not found.
* Implemented Request #12061: Auto Quote handle database schema changes. ie
schema.tableName -> "schema"."tableName"
* Implemented Request #12087: Ability to select which Advanced Security options
are used.
* Fixed Doc Bug #12156: Correction to doc page for Auth::setSessionName() by
Adam Harvey (aharvey)
2008-04-041.6.11.5.0stablestablePHP License
* Actually included the new NetVPOPMaild container file.
*mutter*grumble*stupid package.xml*grumble*mutter*
* Fix Bug #13578: Parse errors in DB Containers
1.6.21.5.0stablestable2010-02-12PHP License
* Fix Bug #13756: Variable name mispelling in SAP container
* Fix Bug #13757: AUTH_LOG_ERR used but not defined
* Fix Bug #14248: Typo and documentation fixes
* Fix Bug #16676: Notices in PEAR container (cweiske)
1.6.31.5.0stablestable2010-10-26PHP License
Automatically built QA release
Bug #17691 PATCH: Using explode instead of split - doconnor
1.6.41.5.0stablestable2010-10-26PHP License
Fix baseinstalldir