Authentication

Page waiting for translation. To translate, create an account, go back and clic on "Modify".
Page en attente de traduction. Pour traduire, créez un compte, revenez et cliquez sur "Modifier".
Página a traducir. Para traducirla, cree una cuenta, vuelva a la página y haga clic en "editar".
Pagina da tradurre. Per tradurla, crea un utente, torna indietro e clicca su "modifica".
Página a aguardar por tradução. Para traduzir, crie uma conta, volte atrás e clique em "Modificar".
Seite wartet auf Übersetzung. Um Übersetzung zu erstellen, richte einen Account ein, geh zurück und klicke auf "bearbeiten".
页面等待翻译。若要翻译本页，先创建一个帐户、登录并返回本页后单击“编辑”。

Introduction

This page describe how the Dolibarr authentication process works. You must be familiar with PHP session and redirect to understand correctly what happen.

Processus

Process start when you call the page you want to see. For example index.php (htdocs/index.php). But this is not this file that ask for authentication. Each Dolibarr php page include at the beginning a file called pre.inc.php and this file include a file called main.php that include master.php. So we have:

 <index.php>
   <pre.inc.php>
     <main.inc.php>
       <master.inc.php>
         #1#
       </master.inc.php>
       #2#
       if (! isset($_SESSION["dol_login"]))
       {
         if (isset($_POST["username"]))
         {
           ...
           // if user and pass are ok, we set $login
           $login=
         }
         if (! $login)
         { 
	   // We show login page
	   include_once(DOL_DOCUMENT_ROOT."/lib/security.lib.php");
	   dol_loginfunction($langs,$conf,$mysoc);
	   exit;
         }
         ...
       }
     </main.inc.php>
   </pre.inc.php>
 </index.php>

The #1# represents the loading of a lot of libraries that we will use later, but also initialize objects and variables containing the running PHP context (load configuration file, load language files and create an empty user not yet authenticated).

The #2# represents the code for authentication: Program check if we are inside a logged session (this means the $_SESSION["dol_login"] exists). If not, we check if we receives data from a login and password form. After first call, this is not the case since we haven't yet show the login form. So we continue and $login is false so we just output the login HTML form and we end the script.

After submission of login, the same page (so still index.php is called), we still go inside #1#, then #2# and now the $_POST["username"] is defined. So we check if user and pass are ok (check into database, LDAP, it depends on $dolibarr_main_authentication value in config file). If it's ok, the $login variable is set, so we don't show the form anymore and we set the $_SESSION["dol_login"] so next time we call a page, we never go inside the "if (! isset($_SESSION["dol_login"]))".

Les modules de login

Les modules de login sont les fichiers qui contiennent les fonctions qui controlent la validite d'un couple user/password. Il y a un fichier par module. Chaque fichier assure un type de controle différent.

Le fichier htdocs/include/login/functions_http.php controle la validite du couple user/mot de passe par une authentification de type http Basic.
Le fichier htdocs/include/login/functions_ldap.php verifie la validite d'un couple user/mot de passe dans un annuaire LDAP.
Le fichier htdocs/include/login/functions_dolibarr.php veririe la validite d'un couple user/mot de passe dans la base de donnee Dolibarr.

Chaque fichier contient en fait uniquement une fonction check_user_password_xxx mais Dolibarr ne va en utiliser qu'un. Ce sera celui dont la valeur xxx correspond a la valeur de la variable dolibarr_main_authentication. Dans ce fichier, Dolibarr sollicite la seule fonction qui s'y trouve en envoyant comme parametres le user et mot de passe.La fonction renvoie vrai si le couple est valide.