Tom,
That's a great tip!
Joe
On Wed, 26 Jan 2005 10:03:31 +0000, Tom <tom@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Joe Harman wrote:
>
> >Hey Andrew...
> >
> >IN MY OPINION... forget the cookies... only use php sessions... but
> >like I said IMO.... you can never rely on the end user having them
> >cookies enabled... same with things like javascript...
> >
> >let me outline some steps for you... everyone else... feel free to
> >state pros and cons to theses.. cause i always make mistakes, or
> >forget things :o)
> >
> >1. get the user's access info... ie username & password
> >
> >2. look for the user in the database that stores the access infro
> >
> >3. if access is granted, I usually set 2 session variables
> > a. $_SESSION['auth'] = TRUE // They are authorized
> > b. $_SESSION['user_id'] = {who} // Who is it
> > a. $_SESSION['user_level'] = {level} // What level access do
> >they have (optional)
> >
> >4. at the beginning of each restricted access page, verify that they
> >are authorized to access that page... if they are not redirect them to
> >a access denied page.
> >
> >
> >that should get you started... maybe the second step would be to make
> >this stuff into functions... ... also, IMO.. it's a good idea to make
> >a logout script that will distroy that user's active session...
> >
> my turn for an IMO :) - my preference is to have a check on the function
> that writes the $_SESSION vars or the cookie (I generally use encrypted
> cookies which are in turn restricted to certain areas of the site). This
> check is on the referer - if it's not from a foreign URL, then write
> them new as if the user is non auth. This stops people on public
> machines from hitting a back button and being authenticated as the
> previous user.
> Tom
>
> > not
> >sure what your PHP experience is... but hopefully the above steps will
> >help you out some..
> >
> >Cheers!
> >Joe
> >
> >
> >
> >
> >
> >On 25 Jan 2005 17:35:08 -0600, Bret Hughes <bhughes@xxxxxxxxxxxxx> wrote:
> >
> >
> >>On Tue, 2005-01-25 at 16:45, AceZero2790@xxxxxxx wrote:
> >>
> >>
> >>>Hey,
> >>> I need a particular type log in script. I'm not sure how to do it or
> >>>where I could find a tutorial that would help me, so I'll describe what I need
> >>>and then maybe someone could tell me what kind of script I need (sessions or
> >>>whatever) and where I could get the script/learn how to make it.
> >>> I need a pretty basic log in script. Something that people log in to,
> >>>and the page and all linked/related pages cannot be accessed unless the person
> >>>has logged in.
> >>> So what do I need for this? Cookies, sessions both? And where can I
> >>>learn how?
> >>>
> >>>-Andrew
> >>>
> >>>
> >>I use the pear auth package and like it alot. I know I did some
> >>modification for our purposes but I suspect it works out of the box.
> >>
> >>All you do is include auth.php on all pages you want to protect and it
> >>will direct you to a login page if you have not logged in. Pretty cool
> >>stuff.
> >>
> >>http://pear.php.net/package/Auth
> >>HTH
> >>
> >>Bret
> >>
> >>--
> >>PHP General Mailing List (http://www.php.net/)
> >>To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >>
> >>
> >
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
