This is a rehash of a post earlier today!
I implement security with user hierarchies which I will describe here (and
also a more flexible method, user groups, which I will outline later ).
I use a procedure called ensure_logged_in ( $level ). It is wrapped around
all .PHP where security is required (as an 'if' which is the first line on
the page with '}' as the last ), so
<?
if ( ensure_logged_in( 5 ) ) {
...
do stuff
....
}
?>
Levels are implemented as such. Punter could be 0, Administrator 5 and
Suppresser 9. You could then pass this through to the function. So
ensure_logged_in(5) would return true if user was at least of level 5
(allowing levels 5,6,7,8,9 access). For pages for punters who must be
logged in use ensure_logged_in(0).
The ensure_logged_in function checks the level and if the user is not
authorised displays an error and login form (the function returns false).
This will then post to where you currently post for login processing (I
actually include the form in and reuse it for both here and login.php ).
Alternatively ensure_logged_in could just display an error message (and
maybe email the administrator if the person was logged in and trying to
access an unauthorised part of your system ).
There is in fact another function ( is_logged_in ) which ensure_logged_in
uses and also returns Boolean. This function enables different
functionality for different levels ( i.e. not including certain fields
unless user is of a certain level ).
User level is held in a session variable ( i.e. $SESSION["user"]["level] )
and set when logged in.
The alternative would be to define groups and say which .PHP modules have
access to which groups. You can then allocate users to a gropes (or a
number of groups). Each .PHP module is then wrapped with a function ( say
chack_security() ) which works similar to ensure_logged_in. I have only
done this sort of thing in oracle applications ( client/server non web )
but the principle is the same. You could also go further and define
database access as well as module using something like :-
Table module_access
module_name varchar( 100 )
allow_update Boolean
allow_insert Boolean
allow_delete Boolean
Don't see much point in allow_select ;-)
Sure you could also define which fields users DO NOT have access to on top
of this with another table ( defining what fields users DO have access is
crazy as this security is built on top of previous ).
Please let me know what you think, at least I then know someone red it -:)
Ben
Regards,
Ben
"Allen May" <[EMAIL PROTECTED]> on 13/09/2001 13:40:06
To: <[EMAIL PROTECTED]>
cc:
Subject: [PHP] PHP Security
I have been using the .htpasswd/.htaccess convention to authenticate our
3000 employees.
I want to move away from the .htpasswd/.htaccess convention and use a PHP
form to authenticate against the database.
I can create the PHP authentication page, no problem, but how do I check
authentication on the thousands of HTML pages I already have on the site?
For several reasons I don't want to do cookies. Can I set a session
variable
in the PHP and conditionally check it with Javascript, if fail go to PHP
authentication form?
What is the javascript session variable function?
Thanks
-Allen
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
