Authentication

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search





Introduction

This page describe how the Dolibarr authentication process works. You must be familiar with PHP sessions to understand correctly what happen.

Process

Process start when you call the page you want to see. For example index.php (htdocs/index.php). But this is not this file that ask for authentication. Each Dolibarr php page include at the beginning a file called main.inc.php and this file include a file called master.inc.php. So we have:

 <mypage.php>
     <main.inc.php>
       <master.inc.php>
         #1#
       </master.inc.php>
       #2#
       if (!isset($_SESSION["dol_login"]))
       {
         // Set goontestloop to true if we are coming from a post of the login page ($_POST["username"] and $_POST["actionlogin"] is defined.
         // We may also set goontestloop to true for some other cases depending on the authentication mode (see next chapter)
         $goontestloop = ...  
         if ($goontestloop)
         {
           checkLoginPassEntity(username, password, ...);
           ...
           // if user and pass are ok, we set $login
           $login=
         }
         if (! $login)
         { 
	       // We show login page
	       include_once(DOL_DOCUMENT_ROOT."/lib/security.lib.php");
	       dol_loginfunction($langs,$conf,$mysoc);
	       exit;
         }
         ...
       }
     </main.inc.php>
   #3#
 </mypage.php>

The #1# represents the loading of a lot of libraries that we will use later, but also initialize objects and variables containing the running PHP context (load configuration file, load language files and create an empty user not yet authenticated).

The #2# represents the code for authentication: Program check if we are inside a logged session (this means the $_SESSION["dol_login"] exists). If not, we check if we receives data from a login and password form. During first call of page, this is not the case since user has not yet view the login form. So we continue and $login is still false, so we just output the login HTML form and we end the script.

After submission of login, the same page (so still index.php is called), we still go inside #1#, then #2# and now the $_POST["username"] and $_POST['actionlogin'] are defined. So we check if user and pass are ok (check into database, LDAP, it depends on $dolibarr_main_authentication value in config file). If it's ok, the $login variable is set, so we don't show the form anymore and we set the $_SESSION["dol_login"] so next time we call a page, we never go inside the "if (! isset($_SESSION["dol_login"]))".

The #3# is to check business permissions and show the page. See Permissions page for more informations.

The authentication mode and the login modules

Calling the checkLoginPassEntity to validate the couple user/password (or just the user for some cases) will call the function check_user_password_xxx of a login module. The login module called depends on the authentication mode defined into your conf/conf.php file.

The file used is named htdocs/core/login/functions_xxx.php with value xxx that match the value set in dolibarr_main_authentication in config file conf/conf.php.

See Authentication,_SSO_and_SSL for a list of authentication mode (possible values for 'xxx' and specificity for them)