News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Scotch.io:
Token-Based Authentication for AngularJS and Laravel Apps (continued)
July 06, 2015 @ 11:57:54

Scotch.io has posted the second part of their series (here's part one) continuing their look at using tokens for authentication in an AngularJs+Laravel application. They pick up where they left off in the previous part and focus on adding more of the systems around the token.

In the tutorial on Scotch.io we created a new app called jot-bot to look at how to implement token-based authentication in AngularJS and Laravel by using jwt-auth and Satellizer together. On the Laravel side, jwt-auth let's us generate JSON web tokens when the user inputs their credentials. [...] There were a few things for a complete authentication solution that we didn't get to in the last tutorial, including: Setting the logged-in user's data (such as name and email address) and their authentication status, a way to redirect the user to the login page if they become logged out and how to log the user out and the implications of token-based authentication on logout.

He starts by updating the AuthenticateController to handle getting the authenticated user based on the token information. He also adds the matching route and show the kind of data it should return. He then switches to the Angular side and creates the controller to hook into the backend and get the current user information. The tutorial then shows how to relay user information back to the view and what it might look like. He then goes through a similar process for adding the logout handling including redirecting the user when logged out. Finally, he shows how to initialize the user on the frontend when the application loads, pulling the data from localstorage and checking for a valid existing session.

0 comments voice your opinion now!
scotchio token authentication angularjs laravel application series part2

Link: http://ryanchenkie.com/token-based-authentication-for-angularjs-and-laravel-apps/

Gonzalo Ayuso:
Token based authentication with Silex and AngularJS
June 09, 2014 @ 10:33:37

Gonzalo Ayuso has posted a tutorial showing how to use token-based authentication with a Silex-based application through a request from AngularJS.

According to my last post today we're going to create a AngularJS application that uses the Silex Backend that we create previously. The idea of this application is to use it within a Phonegap/Cordova application running in a mobile device.

He includes the code (and markup) you'll need to make the request work. Basically, it uses a standard HTTP service from inside AngularJS to fetch the token and store it in the client's localstorage. The rest of the code does the checking to see if the user is logged in (the token exists) or if it needs to sow the login form. The "logged in" route also displays an alert to the user with the info (pulled from the API) for their user. The full code for the example can be found over on GitHub.

0 comments voice your opinion now!
token authentication silex angularjs tutorial login localstorage

Link: http://gonzalo123.com/2014/06/09/token-based-authentication-with-silex-and-angularjs/

Gonzalo Ayuso:
Token based authentication with Silex Applications
May 06, 2014 @ 10:56:32

Gonzalo Ayuso has put together a new post for his site showing how to do token-based authentication with Silex and the help of a few additional Symfony components.

What happens if we want to use a security layer [in a Silex application]? We can use sessions. Sessions are the "standard" way to perform authentication in web applications, but when our application is a PhoneGap/Cordova application that uses a Silex server as API server, sessions aren't the best way. The best way now is a token based authentication. The idea is simple. First we need a valid token. Our API server will give us a valid token if we send valid credentials in a login form. Then we need to send the token with each request (the same way than we send the session cookie with each request).

He includes all the code you'll need to follow along. His example shows a basic Silex application that fetches the token from the URL and uses middleware to handle the validation. There's a bit of CORS mixed in as well to make the cross-domain requests from the applications possible. He creates a service provider (for logins) and controller provider to handle each type of request.

0 comments voice your opinion now!
token authentication silex application tutorial

Link: http://gonzalo123.com/2014/05/05/token-based-authentication-with-silex-applications/

9Lessons.info:
Login with GitHub OAuth using PHP
February 11, 2014 @ 11:36:57

On the 9lessons.info site they've posted a new tutorial showing you how to login with GitHub via OAuth via a custom script.

Nowadays GitHub.com(web based hosting service) is the most import part in developer's life. In this I want to discuss how to implement GitHub OAuth login system for your web project, this is very simple adopt and sure it will helps you to increase your web project registrations. Please check my previous posts for Google, Facebook and Instagram OAuth login system scripts.

The system uses a simple database to store the current user information and their Github ID. They walk you through the flow of creating a new application on the Github site and include the scripts to make the initial request, redirect to the Github site for authorization and handle the callback correctly.

0 comments voice your opinion now!
github oauth tutorial token

Link: http://www.9lessons.info/2014/02/login-with-github-oauth-php.html

Lorna Mitchell:
OAuth Middleware for Slim
October 09, 2013 @ 11:53:37

Lorna Mitchell has posted about some middleware for the popular Slim (micro)framework that helps with OAuth functionality.

OAuth can be anything you want it to be, the standards are lax and give you plenty of room for getting the right implementation for your system. However you proceed, though, you'll need to check an access token on every request - and in a Slim application, a middleware can help enormously since it hooks in to every request by design. I've recently implemented this and thought I would share.

She's created a basic middleware component that can be easily dropped into the framework to handle the checking of the tokens via an "AuthService" object. She also includes a brief snippet of how she generates the codes, combining the output of bin2hex and openssl_random_pseudo_bytes.

0 comments voice your opinion now!
oauth middleware slim access token validation generate

Link: http://www.lornajane.net/posts/2013/oauth-middleware-for-slim

Pádraic Brady:
Stateful vs Stateless CSRF Defences Know The Difference
August 13, 2013 @ 09:49:00

In this new post to his site, Pádraic Brady looks at two methods for generating CSRF (cross-site request forgery) tokens to help protect your application. It's not a tutorial, per se...more of a comparison of two methods: stateful and stateless CSRF tokens.

The difference between Stateful and Stateless CSRF defences is that the former requires storing the CSRF token on the server (i.e. session data) while the latter does not, i.e. the server has zero record of any CSRF tokens. As far as the server is concerned, the number of parties with persistent knowledge of a valid token is reduced to just one - the client. [...] Let's compare both types of CSRF protections.

He introduces the concepts behind both types of token generation, pointing out that most of the PHP frameworks out there rely on the stateful option (the "synchronizer" method). The other method ("double submit") actually involves two tokens, one in the POST content and the other as a cookie value. He also dissects this other stateless concept article he found and how its method of generation may not be ideal.

Like most attacks, CSRF does not exist in isolation so developing a good defence requires mitigating other attacks. [...] Any good CSRF token implementation, whether stateful or stateless, should reflect those requirements with features for limiting tokens by scope and time.
0 comments voice your opinion now!
csrf token stateless stateful difference doublesubmit random synchronizer

Link: http://blog.astrumfutura.com/2013/08/stateful-vs-stateless-csrf-defences-know-the-difference

Joseph Scott:
Stateless CSRF Tokens
August 02, 2013 @ 11:16:44

Joseph Scott has a recent post to his site looking at the idea of stateless CSRF tokens and how to create them while avoiding the typical "store them in a session" mentality.

This is all fine and good until you want to avoid using PHP sessions. Perhaps you have several web servers and don't want to deal with shared session storage. Or have servers in multiple data centers and don't want to try and sync state across them. What ever the reason, popping a token into $_SESSION isn't an option in this case. In short you want some sort of stateless CSRF token.

He looks at two methods to help get around this issue. The first method is based on known values that won't change very frequently (say, maybe 24 hours). His second method, however, has a bit more strength to it. His idea uses a combination of a key, the current time, a timeout and a known string of data - all base64 encoded.

0 comments voice your opinion now!
csrf token stateless tutorial session base64 timeout microtime

Link: https://josephscott.org/archives/2013/07/stateless-csrf-tokens

Anthony Ferrara:
Preventing CSRF Attacks
February 20, 2013 @ 09:36:41

Anthony Ferrara has written up a new post to his site looking at efective use of CSRF tokens and a few different strategies for generating them.

There's been a bit of noise in the past week about the proper way to prevent Cross-Site-Request-Forgery (CSRF) attacks. It seemed to have started with this post. There's been discussion in the comments, and on Twitter about it, and there seems to be several opposing viewpoints on the matter. I want to start off by saying that I agree completely with the post in question. But I figured I'd write a post to explain WHY I agree with it.

He starts with an overview of a few of the common types of request forgery including from a javascript injection, a Man-in-the-Middle attack and a replay attack. He then breaks up the "lines of defense" part of the post into three different sections - adding a hidden token field to forms, changing the token for each request and using random numbers when regenrating them.

0 comments voice your opinion now!
csrf attack prevention overview token generation tutorial


Kevin Schroeder:
Generating secure cross site request forgery tokens (csrf)
February 11, 2013 @ 11:23:10

In this new post to his site Kevin Schroeder has a new post with his take on generating more secure CSRF tokens for use in your site.

In researching the second edition for the IBM i Programmer's Guide to PHP Jeff and I decided to include a chapter on security since we really didn't talk much about it in the first edition. I'm talking about cross site request forgeries right now and I wanted to make sure that what I was going to suggest would not break the internet in some way. I did some Google searching to see what other people were recommending.

Most of the examples he saw used md5, uniqid and rand to create a randomized hash. He suggests an alternative - a method using the hash_hmac and openssl_random_pseudo_bytes methods to generate a sha256 hash for use in your page's submissions.

0 comments voice your opinion now!
csrf token generation hmac openssl


Sherif Ramadan:
How to Write an Operator Precedence Parser in PHP
January 21, 2013 @ 11:21:22

Sherif Ramadan has a post looking at creating a better operator precedence parser in PHP. His example is a fully PHP implementation that takes equation strings and evaluates them to create the result.

Operator precedence parsers are very simple on the surface. So don't feel in the least bit intimidated, because by the time you've read through this I hope to have you walk away with a solid foundation on how to write your very own operator precedence parser. The goal is to understand how to solve the problem of operator precedence parsing, and not necessarily to write your own parser. Learning how the problem can be solved is the most important thing to take away from this article.

He starts with an introduction to the concepts behind "operator precedence" including processing order and grouping. He also mentions infix and postfix (RPN) notations for handling different formats of equations. He used the "Shunting-yard Algorithm" and how it relates to handling the different parts of the equation, one at a time, in the correct order. He rest of the post is dedicated to the details of the execution in the tool, including code examples and the tokenization of the strings passed into it.

0 comments voice your opinion now!
operator precedence parser string token shuntingyard algorithm



Community Events

Don't see your event here?
Let us know!


interview programming example list api community introduction composer laravel opinion series language symfony application framework yii2 project php7 podcast part2

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework