I have a very nice Persona PHP script pack, that verifies the visitors email address, creating and ending a browser session.
Anybody wishing to examine it, the zip pack is here
The issue I'm addressing now is:
How to securely connect to a MySQL DB, and store the email as the userID, using Persona verification as the password?
Ie. the whole point of Persona is that the password is encrypted within the browser, meaning that the website developer need not store user passwords, and the user needs only one password for all Persona enabled sites.
The difficulty for me researching this is that all the docs I see refer to a password being placed in the table, and any visitor is asked for the password, and if it matches, then the account records are accessible.
Easy to understand, common sense logic.
However, in this case, the DB must trust the email as presented to it.
ie. here is the email..... it matches a record set...... okay you have access to those records.
I noted: http://dev.mysql.com/doc/refman/5.1/en/user-names.html
"you cannot make a database secure in any way unless all MySQL accounts have passwords. Anyone who specifies a user name for an account that has no password is able to connect successfully to the server."
So how can the Persona verified email be used, without a password, using PHP and MySQLi?
Here is the front end code, that launches the scripts and recieves the email variable $email.
PHP Code:
<?php
error_reporting(0);
include 'my_login_php_config.php';
$login_content = $email = NULL;
if (isset($_POST['assertion'])) {
require_once($browserid_php);
$result = json_decode(Verifier::verify($_POST['assertion'], $_POST['audience']));
if ($result->status === 'okay') {
$login_content = "<p>Logged in as: " . $result->email . " <a href='javascript:navigator.id.logout()'>Logout</a></p>";
$email = $result->email;
//HERE IS THE VERIFIED EMAIL ADDRESS.
//I NEED TO QUERY THE DB TO SEE IF IT EXISTS
//IF IT DOES, THEN THAT ACCOUNT IS OPENED
//IF NOT THEN A NEW ACCOUNT CREATED
} else {
$login_content = "<p>Error: " . $result->reason . "</p>";
}
} elseif (!empty($_GET['logout'])) {
echo("<script>
<!--
location.replace($login_page_php);
-->
</script>");
} else {
$login_content = "<button id=\"signin_button\" onclick=\"javascript:navigator.id.request()\" ><img src=\"plain_sign_in_black.png\" alt=\"sign in with Mozilla Persona\"> (Test the login system for yourself)</button>";
}
?>
Bookmarks