Dan, That's great help and exactly what I'd like to do timeouts and all. I now just need to figure out he mechanics of the code for it and get a better understanding of sessions. I'm thinking in the user table I'll have a bunch of boolean fields for different permissions that apply to different pages etc. To keep it simple at first I'll just have two permissions "read only" and "edit". Read only users will not be allowed to access pages where they can edit data.
How do you check for idle? I suppose there is a built in variable that you check against the value in the table. How do I pull up or refer to session variables? Thank, Jeff > -----Original Message----- > From: Dan Joseph [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 02, 2003 11:15 AM > To: php > Subject: RE: [PHP] User authentication > > > Hi, > > > I'm not quite sure how to do this however so I'm looking > for advise to > > point me in the right direction. I suspect, that once > validated via > > the login page, I need to store the users permissions in a session > > variable and then before each page loads, check to see if > the page's > > permission requierments match the user requirements stored in the > > session's variable. Is this correct? Are there any security risks > > with this as this sight may one day be internet accessable. > If this > > isn't the correct approach, what is? > > Yes, you will need to set some session variables to > hold any information you want to check. Make sure you do not > store sensitive information in those though. In a site I > just built, we are only storing the user's name, user id > number, and access level. The site then checks every 60 > seconds to see if they are idle. I track the session login > times in a mysql table, and have it do the math on how long > they've been idle. This isn't really a common method from > what I've seen though, and your security requirements might > be a bit different. Our client wants the the site to log the > EU out if they've been idle for 15 minutes. Some people just > let PHP time out the session, then when they go to click on > something, it boots them back to the login page. > > Just remember to check for an active session each time > a secure page loads. Otherwise you'll have people bypassing > login page. > > For restricting what is shown on the page, there are > many methods. IF structures, etc, just make sure are > checking their access against what is shown. > > Does that help? > > -Dan Joseph > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
