News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gonzalo Ayuso:
Token based authentication with Silex and AngularJS
June 09, 2014 @ 10:33:37

Gonzalo Ayuso has posted a tutorial showing how to use token-based authentication with a Silex-based application through a request from AngularJS.

According to my last post today we're going to create a AngularJS application that uses the Silex Backend that we create previously. The idea of this application is to use it within a Phonegap/Cordova application running in a mobile device.

He includes the code (and markup) you'll need to make the request work. Basically, it uses a standard HTTP service from inside AngularJS to fetch the token and store it in the client's localstorage. The rest of the code does the checking to see if the user is logged in (the token exists) or if it needs to sow the login form. The "logged in" route also displays an alert to the user with the info (pulled from the API) for their user. The full code for the example can be found over on GitHub.

0 comments voice your opinion now!
token authentication silex angularjs tutorial login localstorage

Link: http://gonzalo123.com/2014/06/09/token-based-authentication-with-silex-and-angularjs/

Gonzalo Ayuso:
Token based authentication with Silex Applications
May 06, 2014 @ 10:56:32

Gonzalo Ayuso has put together a new post for his site showing how to do token-based authentication with Silex and the help of a few additional Symfony components.

What happens if we want to use a security layer [in a Silex application]? We can use sessions. Sessions are the "standard" way to perform authentication in web applications, but when our application is a PhoneGap/Cordova application that uses a Silex server as API server, sessions aren't the best way. The best way now is a token based authentication. The idea is simple. First we need a valid token. Our API server will give us a valid token if we send valid credentials in a login form. Then we need to send the token with each request (the same way than we send the session cookie with each request).

He includes all the code you'll need to follow along. His example shows a basic Silex application that fetches the token from the URL and uses middleware to handle the validation. There's a bit of CORS mixed in as well to make the cross-domain requests from the applications possible. He creates a service provider (for logins) and controller provider to handle each type of request.

0 comments voice your opinion now!
token authentication silex application tutorial

Link: http://gonzalo123.com/2014/05/05/token-based-authentication-with-silex-applications/

9Lessons.info:
Login with GitHub OAuth using PHP
February 11, 2014 @ 11:36:57

On the 9lessons.info site they've posted a new tutorial showing you how to login with GitHub via OAuth via a custom script.

Nowadays GitHub.com(web based hosting service) is the most import part in developer's life. In this I want to discuss how to implement GitHub OAuth login system for your web project, this is very simple adopt and sure it will helps you to increase your web project registrations. Please check my previous posts for Google, Facebook and Instagram OAuth login system scripts.

The system uses a simple database to store the current user information and their Github ID. They walk you through the flow of creating a new application on the Github site and include the scripts to make the initial request, redirect to the Github site for authorization and handle the callback correctly.

0 comments voice your opinion now!
github oauth tutorial token

Link: http://www.9lessons.info/2014/02/login-with-github-oauth-php.html

Lorna Mitchell:
OAuth Middleware for Slim
October 09, 2013 @ 11:53:37

Lorna Mitchell has posted about some middleware for the popular Slim (micro)framework that helps with OAuth functionality.

OAuth can be anything you want it to be, the standards are lax and give you plenty of room for getting the right implementation for your system. However you proceed, though, you'll need to check an access token on every request - and in a Slim application, a middleware can help enormously since it hooks in to every request by design. I've recently implemented this and thought I would share.

She's created a basic middleware component that can be easily dropped into the framework to handle the checking of the tokens via an "AuthService" object. She also includes a brief snippet of how she generates the codes, combining the output of bin2hex and openssl_random_pseudo_bytes.

0 comments voice your opinion now!
oauth middleware slim access token validation generate

Link: http://www.lornajane.net/posts/2013/oauth-middleware-for-slim

Pádraic Brady:
Stateful vs Stateless CSRF Defences Know The Difference
August 13, 2013 @ 09:49:00

In this new post to his site, Pádraic Brady looks at two methods for generating CSRF (cross-site request forgery) tokens to help protect your application. It's not a tutorial, per se...more of a comparison of two methods: stateful and stateless CSRF tokens.

The difference between Stateful and Stateless CSRF defences is that the former requires storing the CSRF token on the server (i.e. session data) while the latter does not, i.e. the server has zero record of any CSRF tokens. As far as the server is concerned, the number of parties with persistent knowledge of a valid token is reduced to just one - the client. [...] Let's compare both types of CSRF protections.

He introduces the concepts behind both types of token generation, pointing out that most of the PHP frameworks out there rely on the stateful option (the "synchronizer" method). The other method ("double submit") actually involves two tokens, one in the POST content and the other as a cookie value. He also dissects this other stateless concept article he found and how its method of generation may not be ideal.

Like most attacks, CSRF does not exist in isolation so developing a good defence requires mitigating other attacks. [...] Any good CSRF token implementation, whether stateful or stateless, should reflect those requirements with features for limiting tokens by scope and time.
0 comments voice your opinion now!
csrf token stateless stateful difference doublesubmit random synchronizer

Link: http://blog.astrumfutura.com/2013/08/stateful-vs-stateless-csrf-defences-know-the-difference

Joseph Scott:
Stateless CSRF Tokens
August 02, 2013 @ 11:16:44

Joseph Scott has a recent post to his site looking at the idea of stateless CSRF tokens and how to create them while avoiding the typical "store them in a session" mentality.

This is all fine and good until you want to avoid using PHP sessions. Perhaps you have several web servers and don't want to deal with shared session storage. Or have servers in multiple data centers and don't want to try and sync state across them. What ever the reason, popping a token into $_SESSION isn't an option in this case. In short you want some sort of stateless CSRF token.

He looks at two methods to help get around this issue. The first method is based on known values that won't change very frequently (say, maybe 24 hours). His second method, however, has a bit more strength to it. His idea uses a combination of a key, the current time, a timeout and a known string of data - all base64 encoded.

0 comments voice your opinion now!
csrf token stateless tutorial session base64 timeout microtime

Link: https://josephscott.org/archives/2013/07/stateless-csrf-tokens

Anthony Ferrara:
Preventing CSRF Attacks
February 20, 2013 @ 09:36:41

Anthony Ferrara has written up a new post to his site looking at efective use of CSRF tokens and a few different strategies for generating them.

There's been a bit of noise in the past week about the proper way to prevent Cross-Site-Request-Forgery (CSRF) attacks. It seemed to have started with this post. There's been discussion in the comments, and on Twitter about it, and there seems to be several opposing viewpoints on the matter. I want to start off by saying that I agree completely with the post in question. But I figured I'd write a post to explain WHY I agree with it.

He starts with an overview of a few of the common types of request forgery including from a javascript injection, a Man-in-the-Middle attack and a replay attack. He then breaks up the "lines of defense" part of the post into three different sections - adding a hidden token field to forms, changing the token for each request and using random numbers when regenrating them.

0 comments voice your opinion now!
csrf attack prevention overview token generation tutorial


Kevin Schroeder:
Generating secure cross site request forgery tokens (csrf)
February 11, 2013 @ 11:23:10

In this new post to his site Kevin Schroeder has a new post with his take on generating more secure CSRF tokens for use in your site.

In researching the second edition for the IBM i Programmer's Guide to PHP Jeff and I decided to include a chapter on security since we really didn't talk much about it in the first edition. I'm talking about cross site request forgeries right now and I wanted to make sure that what I was going to suggest would not break the internet in some way. I did some Google searching to see what other people were recommending.

Most of the examples he saw used md5, uniqid and rand to create a randomized hash. He suggests an alternative - a method using the hash_hmac and openssl_random_pseudo_bytes methods to generate a sha256 hash for use in your page's submissions.

0 comments voice your opinion now!
csrf token generation hmac openssl


Sherif Ramadan:
How to Write an Operator Precedence Parser in PHP
January 21, 2013 @ 11:21:22

Sherif Ramadan has a post looking at creating a better operator precedence parser in PHP. His example is a fully PHP implementation that takes equation strings and evaluates them to create the result.

Operator precedence parsers are very simple on the surface. So don't feel in the least bit intimidated, because by the time you've read through this I hope to have you walk away with a solid foundation on how to write your very own operator precedence parser. The goal is to understand how to solve the problem of operator precedence parsing, and not necessarily to write your own parser. Learning how the problem can be solved is the most important thing to take away from this article.

He starts with an introduction to the concepts behind "operator precedence" including processing order and grouping. He also mentions infix and postfix (RPN) notations for handling different formats of equations. He used the "Shunting-yard Algorithm" and how it relates to handling the different parts of the equation, one at a time, in the correct order. He rest of the post is dedicated to the details of the execution in the tool, including code examples and the tokenization of the strings passed into it.

0 comments voice your opinion now!
operator precedence parser string token shuntingyard algorithm


Lorna Mitchell's Blog:
Using OAuth2 for Google APIs with PHP
March 29, 2012 @ 12:02:21

Lorna Mitchell has a new post to her blog today showing how to use the functionality provided by the pecl_http extension to make an OAuth2 connection to Google.

I've written about Google and OAuth before, but that was OAuth v1.0, and they are introducing OAuth2 for their newer APIs; in this example I was identifying myself in order to use the Google Plus API. [...] OAuth 2 doesn't need an extension or any particular library as it doesn't have the signing component that OAuth 1 had, and OAuth 2 also has fewer round trips. It does require SSL however, because the requests are in the clear.

She includes some code snippets with an example of a connection - making a request to the remote HTTPS resource, adding some parameters to the URL (including the response type, your client ID and a redirect url). The response then contains the "code" value you'll need to make the second request to fetch the access token you'll need on future requests. You can find out more about the interface she's accessing in these docs about the Google Plus API.

0 comments voice your opinion now!
oauth2 tutorial googleplus token pecl http



Community Events





Don't see your event here?
Let us know!


composer interview package library mvc community symfony opinion framework voicesoftheelephpant tool language laravel podcast introduction series version update release security

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework