About

The MDBitz Security and Authentication Framework (MDSecurity) is a lightweight standalone framework that can be utilized to fully secure your complete PHP website or a sub-section of it. MDSecurity is fully configurable and extendable allowing you to determine how you want to authenticate a user or manage their permissions, in addition to verification and lifetime of a logged in user’s session. For a full list of available features please visit the Features page

Example Usage of the MDSecurity framework

The first step to utilizing the security framework is to understand how it is designed. MDSecurity is built with a main class MDSecurity that contains all the functionality for controlling the session logic. To enable extensibility of the Authentication we utilize AccessControl classes that contain the logic for verifying the users login information as well as determining their permissions to a requested page. As many developers utilize shared hosting the framework has built in SessionHandlers that allow you to specify how you want session data to be stored on your server, this is especially helpful if you don’t have access to the php.ini configurations file.

Configuring the MDSecurity library to be included in all secured pages

  1. include the main class MDSecurity:
    require_once( '/lib/MDSecurity.php' );
  2. register the auto loader:
    spl_autoload_register(array('MDSecurity', 'autoload'));
  3. initialize and configure the security settings:
    $mdSecurity = MDSecurity::getInstance();
    $mdSecurity->checkAttempts = true;
    $mdSecurity->checkRequestTimeout = true;
    $mdSecurity->checkSessionTimeout = true;
  4. initialize the Access Control engine:
    $accessControl = new MDSecurity_AccessControl_BasicEncryption();
    $accessControl->loginURL = "/login.php";
    $accessControl->homeURL = "/index.php";
    $mdSecurity->accessControl = $accessControl;
  5. configure the encryption if supported by the Access Control engine:
    $encryptor = new MDSecurity_Encryptor_SHA256();
    $accessControl->encryptor = $encryptor;
  6. configure the Session Handler (optional):
    $sessionHandler = new MDSecurity_SessionHandler_FilePath();
    $sessionHandler->filePath = "/Applications/MAMP/tmp/phpmod";
    $mdSecurity->sessionHandler = $sessionHandler;
  7. autheniticate:
    $mdSecurity->init();

The complete MDSecurity configuration file would look similar to:

<?php
 
// include the main class MDSecurity
require_once( '/lib/MDSecurity.php' );
 
// register the autoloader
spl_autoload_register(array('MDSecurity', 'autoload'));
 
// initialize and configure the framework
$mdSecurity = MDSecurity::getInstance();
$mdSecurity->checkAttempts = true;
$mdSecurity->checkRequestTimeout = true;
$mdSecurity->checkSessionTimeout = true;
 
// initialize the Access Control Engine	
$accessControl = new MDSecurity_AccessControl_BasicEncryption();
$accessControl->loginURL = "/PHPMDSecurity/Examples/Basic-Encryption/login.php";
$accessControl->homeURL = "/PHPMDSecurity/Examples/Basic-Encryption/index.php";
$mdSecurity->accessControl = $accessControl;	
 
// modify encryption if supported by Access Control
$encryptor = new MDSecurity_Encryptor_SHA256();
$accessControl->encryptor = $encryptor;
 
// initialize and configure the session handler if desired	
$sessionHandler = new MDSecurity_SessionHandler_FilePath();
$sessionHandler->filePath = "/Applications/MAMP/tmp/phpmod";
$mdSecurity->sessionHandler = $sessionHandler;
 
// init the framework
$mdSecurity->init();

Create your login page

  1. include the MDSecurity configuration file:
    include( '../mdsecurity_config.php' );
  2. create your login form, the basic AccessControl classes use the fields user_name, and password as the values to authenticate. You can also use the code property to determine what error message you would like to display to the user. If you utilize an encryptor you will have to output the JavaScript associated with it, as well as perform encryption on desired fields if applicable.
    <?php include( '../mdsecurity_config.php' ); ?>
    <html>
        <head>
            <title>MDSecurity Framework :: Basic Login</title>
            <?php echo $encryptor->outputJS(); ?>
            <script type="text/javascript">
                function doFormSubmit() {
                <?php 
                    $strVal = '"' . $mdSecurity->getKey() . '" + password.value';
                    echo "password.value = " . $encryptor->encryptJS( $strVal ) . ";\n"; 
                ?> 
                }	
            </script>
        </head>
        <body>
            <div>
            <?php if( $mdSecurity->isAuthenticated() ) { ?>
                <h1>You are currently logged in.</h1>
                <a href="<?php echo $mdSecurity->accessControl->homeURL ?>">Home Page</a>
                <a href="./?logout=true">Log-out</a>
            <?php } else if ( $mdSecurity->isInValid() ) { ?>
                <h1>Max Log-in Attempts exceeded</h1>
            <?php } else { ?>
                <table id="loginForm" width="300" border="0" align="center" cellpadding="0" cellspacing="0">
                    <tr>
                        <form name="login-form" method="post" action="">
                        <input type="hidden" name="log_in" id="log_in" value="true" />
                        <td>
                            <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
                            <?php if( $mdSecurity->code != MDSecurity::FIRST_VIEW ) {?>
                                <tr>
                                    <td colspan="2" style="padding:0px 0px 0px 35px;">
                                        <h2><span style="color: #FF0000;">Invalid User and Password Combination<br/>Please Try again</span></h2>
                                    </td>
                                </tr>
                            <?php } ?>
                                <tr>
                                    <td width="60px" height="10px" style="padding:0px 0px 0px 35px">Username</td>
                                    <td><input name="user_name" style="width:160px;" type="text" id="user_name" value="<? if( isset($_POST['user_name']) ) {echo $_POST['user_name']; }?>"></td>
                                </tr>
                                <tr>
                                    <td style="padding:0px 0px 0px 35px; margin:1px 0px 0px 0px;">Password</td>
                                    <td><input type="password" name="password" style="width:160px;" type="text" id="password"></td>
                                </tr>
                                <tr>
                                    <td colspan="2"><input id="loginBtn" type="submit" name="Submit" value="Login" onclick="doFormSubmit();"></td>
                                </tr>
                            </table>
                        </td>
                        </form>
                    </tr>
                </table>
            <?php } ?>
            </div>
        </body>
    </html>

Include MDSecurity configuration file on all secured pages

  1. To secure a page simply include the configuration file created. The framework will take care of authenticating a user and directing them to the login page if necessary.
    include( '../mdsecurity_config.php' );

Download and License

The MDSecurity framework is copyright to Matthew Denton and licensed under the GPL License v3. Please visit the downloads page to obtain and use the framework in your php websites.