Well, what I would suggest is you log them in once, then set a session
variable such that $_SESSION["login"] = true;
Then at the top of each page, just check if they're logged in or not.
if( !$login ) { Header("Location: ".$LOGINPAGE."\n\n"); exit; }
No hit to the db for every page.
If you're in the good habbit of using a "require()" file at the header,
you can put that in there, so all those pages are protected instantly
and it makes it easy to tweak.
However, if security is really a concern, I would choose to let Apache
deal with that. Plus the nice thing is that with the .htaccess (or
better yet, the httpd.conf <Directory>) you are guaranteed that all
subdirectories and files are protected too. Another little detail is
that a user can bookmark a page, and get back to it easily. My method
above would require you "remembering" the page they
requested->login->jump back to the page. I dunno. I have nothing to base
this on, but I feel 'safer' with private areas being protected by the
server rather than any code I could come up with. :)
DÆVID.
"A good friend will come and bail you out of jail...but a true friend
will be sitting next to you in the holding cell, laughing and saying
-'That was fucking awesome!'"
> -----Original Message-----
> From: Sarah Gray [mailto:sarah@fabled.net]
> Sent: Monday, October 28, 2002 8:52 PM
> To: php-db@lists.php.net
> Subject: The Ethics and Access of Login
>
>
> list,
>
> I have been using .htaccess pages formatted to read
> username/password from a mysql database, and they work fine.
> But I'm wondering, wouldn't it be simpler to simply write a
> script that checks a database itself, and, if it finds the
> username, goes on to the next action; and if it doesn't find
> the member, shuts them out? This seems so simple that I am
> sure there are good arguments against it. Am I right?
>
> The idea, in simple terms, is a login form that calls a php
> script which checks the id of the username in the form
> against a database, and then the appropriate action following
> their acceptance.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
