Você está na página 1de 8

Security Settings

FieldDescription:
Administrator Login (Hard-Coded) Administratoruseridandpassword
Login Name LoginNameforadministrator
Password Passwordforadminsitrator
Use Existing Table Linktoexistingtableforloginnameandpasswordvalidation
Table Existingtableindatabasecontainingloginnameandpasswordinformation
Login Name Field LoginNamefieldintableusedforauthentication
Password Field Passwordfieldintableusedforauthentication
Login Options
Loginoptionsintheloginpage:
Auto-login-Autologinuntiltheuserlogoutexplicitly
Whenyouenabletheauto-loginfeature,afewcookieswillbeplacedontheuser'scomputertoidentify
theuser,meaningthattheuserdonothavetotypeusernameandpasswordeverytimehe/shevisitthe
Page1of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
site.Forthisreason,youshouldadviseyourusersnottousethisfeatureonapublicorsharedcomputer,
asanyotheruserofthecomputerwillbeabletoaccesstheaccount.

Remember username-Savetheuser'susernameincookie

Always ask-Donotsaveusernameandpassword,alwaysaskforthemintheloginpage

Advanced Security
AdvancedSecurityfeatureallowsyoutosetupUserID,assignUserLevelstousersandcreateacompleteuserregistrationsystem.Tosetup,
clickthe[Advanced] button.
PHPMakersupportstwotypesofsecurity-User IDandUser Level.UserIDSecuritysecuresdataatrecord level.UserLevelSecuritysecures
dataat table level.Theycomplementseachotherandtheycanworkindependentlyortogether.UsersgettheirUserIDandUserLevelafter
login.Beforelogin,anuser'sidentityisunknownandtheuserisanAnonymous User.

Anonymous User
ThepermissionsforAnonymoususersaredefinedinthisform.
StepstosetupAnonymousUserpermissions:
Clickon Anonymous User intheleftpane, 1.
Definethepermissionsforeachtable. 2.

User ID
UserIDSecuritysecuresdataatrecord level.ProtectedtablesmusthaveanUserIDfieldforidentifyingwhichuserarecordbelongsto.The
UserIDfieldnamescanbedifferentintablesthough.WhenUserIDsecurityisenabled,userscanonlyaccesstheirowndata.
Page2of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
StepstosetupUserIDsecurityfordifferenttables/views:
ClickonUser IDintheleftpane.

1.
Selectthe[User ID field]fromyourusertable,thisfieldisusuallytheprimarykeyoftheUserTable.(Note: ifthisfieldisnotset,the
featureisdisabled)

2.
(Optional)Selectthe[Parent User ID field]fromyourusertable.ParentUserIDfieldstorestheparentUserIDthattheuserbelongs
to,parentusercanmodifythechilduser'srecords.ParentUserIDishierarchical,parentuserscanaccesstherecordsownedbythechild
usersoftheirchildusers.(Note: ifthisfieldisnotset,theParentUserfeatureisdisabled.)

3.
Inthe[User ID Field]column,selecttheUserIDFieldforthetables/viewsthatrequiresUserIDsecurity.

4.
(Optional)Enable[Allow View All] ifyouallowallloggedinusers(notincludingAnonymous User)tolist/search/view(butnot
add/copy/edit/delete)allrecordsinthetable.
5.

User Level
UserLevelSecuritysecuresdataat table level.Eachuserlevelisgrantedwithspecificpermissionstotablesinthedatabase.
Thereare2typesofUserLevelsecurity:
1. Static User Levels-theUserLevelsandthepermissionsaredefinedinthisformandtheUserLevelsarenottobechangedafterscript
generation.
Page3of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
StepstosetupstaticUserLevelsecurityfordifferenttables/views:
ClickonUser Levelsintheleftpane, 1.
Selectaninteger fieldinyourusertableasthe[User Level field],(Note: ifthisfieldisnotset,thefeatureisdisabled) 2.
Defineyouruserlevels,click 3. icontheaddanuserleveland icontodeleteanuserlevel.
2. Dynamic User Levels-theUserLevelsandthepermissionsaredefinedin2tablesinthedatabase,theUserLevelscanstillbechangedwith
thegeneratedscripts.
Page4of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
StepstosetupdynamicUserLevelsecurityfordifferenttables/views:
ClickonUser Levelsintheleftpane, 1.
Selectaninteger fieldinyourusertableasthe[User Level field],(note: ifthisfieldisnotset,thefeatureisdisabled) 2.
Switchtothe [Dynamic User Levels]tab,check [Enable Dynamic User Levels], 3.
Selectyour User Level TableandUser Level Permission Tableandtherequiredfields. 4.
TheUser Level TableandUser Level Permission Tablemusthavethefollowingfields,notethedatatypes,UserLevelIDandthePermission
fieldsmustbeofintegertype,thefieldnamescanbedifferentthough:
IfyouwantPHPMakertocreatethese2tablesinyourdatabase,clickthe[Create tables] button,thefollowingformwilldisplayforyouto
changethetable/fieldnamesifnecessary.Youcanchangethetable/fieldnamesandthenclickOKtocontinue.

IfyouhaveprojectscreatedbypreviousversionsofPHPMakeryoumaywanttousedynamicUserLevelsandmigratethepreviouslydefined
staticUserLevelsintheprojecttothedatabase.AfterselectingorcreatingtheUserLevelandUserLevelPermissiontables/fields,justclickthe
[Migrate]buttontoletPHPMakerdothatforyou.
Aftersettingtheuserlevels,PHPMakerwillpopulatetheuserlevelstotheUserLevelfield'sEditTag(alsoseeFieldSetup)soadministrators
canassignuserlevelsusingthegeneratedpages.
Therearetwobuilt-inuserlevels:
Administrator-Administratoruserlevelisabuilt-inuserlevelthathasallpermissionsplustheprivilegestomodifyUserIDsandUserLevels.
Itspermissionsaresameasthatofthehard-codedAdministrator.TheUserLevelIDofAdministratoris-1.
Default-Defaultuserlevelisbuilt-inuserlevelwithuserlevel=0.SinceUserLevelfieldisanintegerfield,ifyousetadefaultvalueof0for
thisfield,thisuserlevelwillbecomethedefaultuserlevelfortheuserafterregistrationandbeforetheAdministratorassigninganotherhigher
userlevel.
ImportantNotesonUserLevels
EvenyouenableallpermissionsforanuserdefinedUserLevel,theUserLevelwillNOTbecomesameasthisAdministratorUser
Level.UserdefinedUserLevelswillnothavethepermissionstomanageusers(althoughparentusershassomecontrolontheirchild
users).
1.
Fromv9,thepermissionsforList/Search/Viewareseparateinnewlycreatedprojects.However,forbackwardcompatibility,the
permissionsforList/View/Searchinconvertedprojects(createdbypreviousversions)arethesameunlessyouhaveenabledSeparate
permssions for List/View/SearchinAdvancedSettings.
2.
Youmayneedtousethehard-codedAdministratorLogintologonandassigndynamicuserlevelstousersinitially. 3.
ItispossibletousesingleloginandcommonDynamicUserLevelsformultipleprojectsprovidedthatALLprojectsusethesame
projectnameandsameAdvancedSecuritytables(i.e.UserTable,UserLevelTableandUserLevelPermissionTable).Ifallprojects
4.
Page5of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
usesthesamedatabaseandsameAdvancedSecuritytables,thenthelatterconditionisautomaticallyfulfilled.However,iftheprojects
usedifferentdatabases,youneedtouseDatabase_Connectingservereventtochangetheconnectioninfosotheusercangetthe
DynamicUserLevelsfromthecommonAdvancedSecuritytablescorrectlyduringlogin.Fortheprojectsnotusingthedatabasewith
thecommonAdvancedSecuritytables,youstillneedtocreatedummyAdvancedSecuritytables(withsametable/fieldnamesasthe
commonAdvancedSecuritytables)intheprojectdatabasesoyoucansetupAdvancedSecurity.

User Login Options


UserLoginOptionsallowsyoutocreateacompleteuserregistrationsystemforyourWebsite,withoptionstoletuserregister,changepassword
andrecoverpassword.
Login
Track failed attempts
Ifenabled,numberoffailedloginattempts(invalidpassword)willbetracked.Ifexceeded,theuser
willbelockedoutandthepasswordmustbereset.

Maximum failed attempts


Themaximumnumberoffailedloginattempts
Failed attempts windows (minutes)
Thetimewindow,inminutes,duringwhichfailedpasswordattemptsaretracked.
Disallow concurrent login
Ifenabled,onlyonesessionisallowedforeachuser(exceptthehard-codedAdministrator).Ifone
userhasalreadyloggedin,otheruserstryingtologinwiththesameusername(andpassword)willbe
rejected.
NoteUsersaredistinguishedbySessionIDasrecognizedbythewebserver.Ifyouloginagainwith
yourPCinanotherwindowofthesamebrowserorinjustanothertabofyourbrowser,youcanstill
Page6of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
login.IfyouloginagainwithanotherbrowseroranotherPC,theSessionIDwillbedifferentandthe
loginwillberejected.
Login status timeout (minutes)
Thenumberofidleminutesafterwhichtheloginstatuswillbeconsideredasloggedoutandlogin
willbeallowedagain.
Ifalogged-inuserdoesnotexplicitlylogout(forexample,closethebrowserdirectly),theuser
sessionisnotclosedandtheuser'sloginstatuswillremainas"loggedin".Attemptstologinagain
willfail.Thistimeoutsettingensuresloginwillbeallowedagainafteraperiodofidletime.

CAPTCHA (requires extension)


Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen..
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
Password
MD5 password
UseMD5password
Notes
IfyouenableMD5password,makesurethatthepasswordsinyourusertablearestoredas
MD5hash(32-characterhexadecimalnumber)ofthecleartextpassword.Ifyoualsouse
case-insensitivepassword,convertthecleartextpasswordstolowercasefirstbefore
calculatingMD5hash.Otherwise,existinguserswillnotbeabletologin.MD5hashis
irreversible,passwordwillberesetduringpasswordrecovery.Notethattheresetpassword
isalsointheformatof16-characterhexadecimalnumber,itisNOTtheMD5hashofthe
oldpassword.
1.
PHPMakerwilltrytodetectsaltedpasswordcreatedbyotherapplication.(PHPMakeritself
doesNOTcreatesaltedpassword.)Ifsalted,thepasswordmustbestoredin
'<hashedstring>:<salt>'format,andthehashedstringmustbethemd5hashofthe
concatenatedstringofthecleartextpasswordandthesalt.Othersaltalgorithmisnot
supported,youcanhowevercustomizethefunctionew_EncryptPassword()inthetemplate
tosuityourapplcation.
2.
Case-sensitive password
Usecase-sensitivepassword
Enable password expiry
Ifenabled,userpasswordwillexpireafteraperiodoftime(exceptthehard-codedAdministrator
password)
Password expiry time (days)
ForusewithEnable password expiry,userpasswordwillexpireafterthespecifiednumberofdays
User Registration Page
Enabled
Generateuserregistrationpageandaddalinkinloginpage.
Fields
Selectfields(fromtheusertable)toshowintheregistrationpage.Clickthe[...]buttontheselectthe
fields.
CAPTCHA (requires extension)
Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen..
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
Confirm before submit
Optionallysendemailconfirmationafterregistration
Send email
Optionallysendemailconfirmationafterregistration
Requires activation
Optionallyrequiresuserclickanactivationlinkintheemailsentafterregistrationtoactivatetheuser
account.
NoteSend emailmustbeenabledforsendingtheemailwithactivationlink.
Auto login after registration/activation
Optionallyauto-logintheuserafterregistrationoractivation.
NoteRequires activationisenabled,theuserisnotactivatedyetafterregistration,autologinwillbe
appliedwhentheuserclickstheactivationlinkintheemail.
Change Password Page
Enabled
Generatechangepasswordpage
Page7of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
Send email
Optionalemailconfirmationafterchangingpassword
CAPTCHA (requires extension)
Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen.
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
Password Recovery Page
Enabled
Generatepasswordrecoverypage(forgotpasswordpage)andaddalinkinloginpage.Username
andpasswordwillbesenttotheuser'semailaddress.
CAPTCHA (requires extension)
Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen.
NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
seeThird-partyTools.
User Table Fields
Email address field Emailaddressfieldinusertableusedforsendingemail
Activated field
Emailactivatedfieldinusertableusedforstoringthestatusofuser.Abooleanfieldis
recommended,althoughanintegerfieldorastringfieldwillalsowork.
Notes
Toenableuseraccountactivation,theRequires activationandSend email optionsunder
User Registration Page mustbechecked.Theuserneedstoclickanactivationlinkinthe
emailsentafterregistrationtoactivatetheuseraccount.
1.
Ifenabled,makesuretheactivatedfieldforexistingusersinyourusertableisupdatedwith
youractivationvalues(e.g.True/False,1/0,Y/N)ortheexistinguserscannotloginbecause
theyarenotrecognizedasactivated.YoucanenableMulti-Updatefeaturefortheusertable
soadministratorscanactivateordeactivateexistinguserseasily.
2.
Profile field
Amemofieldforpersistingalltheadditionaluserinformation.Thisfieldisrequiredifthefollowing
optionsareused:
Track failed attempts
Disallow concurrent login
Enable password expiry

Email Template
Theemailsendingfunctionandtheemailcontentscanbecustomizedinthetemplate.Thefollowingspecialtagsareusedintheemailtemplates:
<!--$From-->issenderemailaddress
<!--$To-->isuseremailaddress
<!--$Password-->isuserpassword
<!--FieldName-->(withoutthe$symbol)isthefieldvalue.
Forexample,<!--LastName-->isthefieldvalueofthefield"LastName".
Theemailformatcanbeeither"TEXT"or"HTML".IfyouuseHTML,changetheline"Format:TEXT"to"Format:HTML"andenterHTML
contentbelowit.
YoucanalsodynamicallychangetheemailbycodeusingEmail_Sendingeventbeforetheemailissent.(SeeServerEventsandClientScripts)

Also See:
Tutorial-UserIDSecurity
Tutorial-StaticUserLevelSecurity
Tutorial-DynamicUserLevelSecurity
Tutorial-UserRegistrationSystem

2002-2014e.WorldTechnologyLtd.Allrightsreserved.
Page8of8 SecuritySettings
13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...