Re: user login and access + headers already sent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 4:56 PM +0100 7/15/10, Ashley Sheridan wrote:

On Thu, 2010-07-15 at 15:38 +0000, Carlos Sura wrote:
> So, I'm wondering, is there any other way to avoid put code in every page? or... another way to avoid that kind of error. 


Common logic for a login is to use an include file that does this:


     1. Is user logged in? Yes: goto 5. No: goto 2
     2. Have login details been submitted through form or other? Yes:
        goto 3. No: goto 4
     3. Are login details correct? Yes: goto 5, No: goto 4
     4. Show login form & stop
     5. Show/redirect to app page

(apologies for the hard to follow list, but I just realised I don't know
a good way to show a flowchart in plain text!)


Flowchart? How about:

  1. Is user logged-in?
        No, go to logon.php

Nothing else needs to be done to protect any page.

This is accomplished by simply placing at the top of each protected page:

<?php session_start();
   require(auth.php);
Of course this requires the OP to place this code on each page he wants to protect, but that's a small price to pay for security and ease of implementation.
The auth.php script only checks IF the user logged-in via a security variable. For example: 

if ($_SESSION['security'] != TRUE)
  {
  header('location:logon.php');   // redirect to login script.
  exit();
  }

// else user is permitted to pass
If the user is logged in, then the user is permitted to travel to whatever scripts that contain the require(auth.php); statement.
The login script in turn simply asks for the user ID and PASSWORD. If these are correct (via a db or file lookup), then the login script sets the security session variable to TRUE else it defaults to FALSE.
Keep in mind that the only job of the login script is to set the security session variable to TRUE -- it is loosely coupled. Likewise, the authorization script is only concerned with the setting of the security session variable -- it is also loosely coupled. Both of these provide a good security solution. 

EOP (End of Problem).

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux