Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
One Login To Rule them All - Seamless and Secure Cross-Domain Authentication
Feb 24, 2016 @ 11:48:28

On the Paragon Initiative site they've posted a new tutorial sharing a method for creating "one login to rule them all" for your PHP-based applications. The goal is to make one system that can provides a single authentication point and secure credential storage.

Problem: You want to create a system whereby when a user authenticates to example.com, they're also automatically logged in at foo.com, bar.com, baz.com, and any other domains that you decide to add to the list at a later date. Okay, great, that seems straightforward, except there's a complication: The Same Origin Policy prevents you from getting/setting cookies on domains other than the one you control.

[...] Let's narrow it down a little bit further: Unlike a situation where e.g. "Login with Facebook" would be appropriate, you control all of the domains. They just happen to be different, so the Same Origin Policy kicks in. For simplicity, feel free to assume they're on the same server and application codebase, but you have a multi-site architecture in place where some of the sites have a different domain name.

Let's work around this limitation with as few moving parts as possible.

He then shoes how to use libsodium (via the Halite wrapper) to secure your credentials (passwords) and hooking it into a custom API endpoint that takes in a hex-encoded JSON string and a signature for the payload. He then expands this to provide "automatic login" handling making use of another endpoint to fetch an image to and log in the user by passing it the payload and signature values. He ends the post with a few security concerns around using this method and some things that it assumes are correct (and robust enough).

tagged: login single seamless crossdomain payload signature libsodium tutorial api

Link: https://paragonie.com/blog/2016/02/one-login-rule-them-all-seamless-and-secure-cross-domain-authentication

Paul Jones:
Service Classes, Payloads, and Responders
Aug 12, 2015 @ 10:52:27

Paul Jones has written up a post talking about service classes, payloads and responders and how they can help pull logic out of controllers and into more reusable chunks. It's inspired by comments and methods mentioned in another earlier post from Revath Kumar.

Revath Kumar has a good blog post up about extracting domain logic from controllers and putting that logic in a service class. After reading it, I commented that with a little extra work, it would be easy to modify the example to something closer to the Action-Domain-Responder pattern. In doing so, we would get a better separation of concerns (especially in presentation).

Paul applies some of the concepts that Revath outlined to the ADR pattern, suggesting that service classes should always return Payloads and the reduction of functionality in the controller overall. He includes an example of what the resulting code would look like, following along with the "orders" scenario outlined in Revath's post.

tagged: service class payload responder adr action domain responder designpattern

Link: http://paul-m-jones.com/archives/6172

Paul Jones:
Action-Domain-Responder and the “Domain Payload” Pattern
Oct 01, 2014 @ 10:16:11

Paul Jones has a new post with more information about his proposed "Action-Domain-Responder" design pattern (a replacement for the typical MVC) and suggests a new piece, the Domain Payload pattern. This pattern would use a domain payload object to wrap the data and provide the responder with additional handling and context.

In Action-Domain-Responder the Action passes input to the Domain layer, which then returns some data for the Action to pass to the Responder. In simple scenarios, it might be enough for the Responder to inspect the data to determine how it should present that data. In more complex scenarios, though, it would make more sense for the Domain to pass back the data in a way that indicates the status of the data. Instead of the Responder inspecting the Domain results, the Domain should tell us what kind of results they are.

He shows a code example of this Domain Payload object in action, starting with some typical MVC code and refactoring it along the way into an ADR structure. He shifts from a typical model into a more domain-driven approach and describes the wrapping of the data in the payload, context for the contents (even just a class name helps) and how those relate to the actual output. You can find the resulting code in this example over on Paul's GitHub account.

tagged: action domain responder mvc adr payload wrapper context data

Link: http://paul-m-jones.com/archives/6043

Sending MIME Email with PHP
Jul 10, 2008 @ 08:49:20

In this new tutorial on DevShed Alejandro Gervasio explains how to send emails from PHP with MIME payloads attached.

One of the most common tasks that a PHP programmer has to tackle is the development of applications that send MIME email in one form or another. In simple terms, MIME email consists of an extension of traditional email technology and comes in handy for sending email messages in fancy HTML and handling file attachments in a wide variety of formats.

In this first part of the series he just lays the groundwork - creating the mailer class they'll use for the series and using it to send a sample email (a basic message with a plain text MIME block).

tagged: mime email tutorial payload class binary


PHP Web Services Blog:
Payload the Way You Want with PHP5 built-in SOAP
Jan 30, 2008 @ 15:00:31

The PHP Web Services blog has a helpful hint on getting a custom SOAP request all ready to go:

How do you get this [custom] XML to be output by the SoapClient?

Using the SoapVar method and a few newly created objects, making a custom structure is simple. It's just a matter of encoding the object and setting it with the base() method in the PHP SOAP extension. Check out the blog post for an example of both the custom XML and the code to produce it.

tagged: payload custom soap extension soapvar object encode