Hi,
I don't think there is any other way, at least so easy to extend. The
only improvement will be to combine the system with calls to NIS or a
Kerberos/RADIUS server. If you have such a server (or maybe LDAP ???)
you should combine it for administration easiness.
[EMAIL PROTECTED] wrote:
>
> This is a rehash of a post earlier today!
>
> I implement security with user hierarchies which I will describe here (and
> also a more flexible method, user groups, which I will outline later ).
>
> I use a procedure called ensure_logged_in ( $level ). It is wrapped around
> all .PHP where security is required (as an 'if' which is the first line on
> the page with '}' as the last ), so
>
> <?
> if ( ensure_logged_in( 5 ) ) {
> ...
> do stuff
> ....
> }
> ?>
>
A better way will be (I think):
<?
if ( !ensure_logged_in( 5 ) ) {
header("Location: $NOT_AUTHENTICATED");
exit;
};
...
do stuff
....
?>
That way you could just put it in a file and include it at the header,
not needing to wrap the code around. He was talking about thousands of
pages!!!
> Levels are implemented as such. Punter could be 0, Administrator 5 and
> Suppresser 9. You could then pass this through to the function. So
> ensure_logged_in(5) would return true if user was at least of level 5
> (allowing levels 5,6,7,8,9 access). For pages for punters who must be
> logged in use ensure_logged_in(0).
>
> The ensure_logged_in function checks the level and if the user is not
> authorised displays an error and login form (the function returns false).
> This will then post to where you currently post for login processing (I
> actually include the form in and reuse it for both here and login.php ).
>
> Alternatively ensure_logged_in could just display an error message (and
> maybe email the administrator if the person was logged in and trying to
> access an unauthorised part of your system ).
>
> There is in fact another function ( is_logged_in ) which ensure_logged_in
> uses and also returns Boolean. This function enables different
> functionality for different levels ( i.e. not including certain fields
> unless user is of a certain level ).
>
> User level is held in a session variable ( i.e. $SESSION["user"]["level] )
> and set when logged in.
>
> The alternative would be to define groups and say which .PHP modules have
> access to which groups. You can then allocate users to a gropes (or a
> number of groups). Each .PHP module is then wrapped with a function ( say
> chack_security() ) which works similar to ensure_logged_in. I have only
> done this sort of thing in oracle applications ( client/server non web )
> but the principle is the same. You could also go further and define
> database access as well as module using something like :-
>
> Table module_access
> module_name varchar( 100 )
> allow_update Boolean
> allow_insert Boolean
> allow_delete Boolean
>
> Don't see much point in allow_select ;-)
>
> Sure you could also define which fields users DO NOT have access to on top
> of this with another table ( defining what fields users DO have access is
> crazy as this security is built on top of previous ).
>
> Please let me know what you think, at least I then know someone red it -:)
>
> Ben
>
> Regards,
> Ben
>
> "Allen May" <[EMAIL PROTECTED]> on 13/09/2001 13:40:06
>
> To: <[EMAIL PROTECTED]>
> cc:
> Subject: [PHP] PHP Security
>
> I have been using the .htpasswd/.htaccess convention to authenticate our
> 3000 employees.
> I want to move away from the .htpasswd/.htaccess convention and use a PHP
> form to authenticate against the database.
>
> I can create the PHP authentication page, no problem, but how do I check
> authentication on the thousands of HTML pages I already have on the site?
> For several reasons I don't want to do cookies. Can I set a session
> variable
> in the PHP and conditionally check it with Javascript, if fail go to PHP
> authentication form?
>
> What is the javascript session variable function?
>
> Thanks
>
> -Allen
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
> ------------------------------------------------------------------------
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
