Case Study: Customer Authentication

The case study example in this chapter is an authentication framework that doesn't rely on HTTP authentication to collect the username and password. The scripts developed in the case study illustrate how several techniques are applied and how the issues raised relating to session-based applications are solved. In this case study, we:

  • Develop a login <form> to collect user credentials

  • Authenticate the user credentials against encrypted passwords stored in the customer table

  • Use the IP address of the login request to deny access to requests from other machines

  • Develop a function that is included on each page to deny access without a successful login

  • Develop a logout function

Case study overview

Each customer of the winestore has an entry in the customer table that records confidential account details, including delivery address and credit-card details. Given such information, there is a good reason to restrict access to the application and protect confidential data.

We design the login page as a <form>, and the authentication is handled by the script that processes POST variables. The POST method is used rather than GET method to prevent the username and password from appearing in the URL. The authentication uses a query on the customer table to check the credentials; we use the approach described in Section 9.3.

We create a session to record the username that is authenticated and the IP address of the machine from which the login request originated. Each protected script then tests for the existence of the session variables that hold the authenticated name and the originating IP address and checks these against the originating IP address of the request for that script.

While the pages we have developed on the online winestore site are more attractive than the examples in this section, the structure of the code is the same.