Your way to check for privileges sounds good.  However, at my site, for this
one area (basically, the customer's area) there's only one privilege; you
either have access or you don't.  So, I'm assuming my way is probably good
enough for now.

In regards to the presence of the session itself being good enough for
verification, the reason I would check for the $_SESSION['user'] is that
that variable means they are logged in, as opposed to merely having a
session in use.  I say that because, given that I may want to start a
session for other uses, such as tracking a user's navigation through the
website, then the presence of the session itself would not be good enough to
know if they've logged in or not.

In regards to "Passing/testing the password on each page is unnecessary and
poses security risks.", I'm under the impression that when I create the user
and password variables, the variables are only available in the session
cookie on my own server, not in the cookie that is sent to the user to
maintain sessions.  The cookie sent to the user merely contains the session
ID.  Therefore, other than someone hijacking the session, I'm a little
unclear as to the security risk.  Have I got this right?



> -----Original Message-----
> From: Analysis & Solutions [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 07, 2002 10:42 AM
> To: PHP List
> Subject: Re: [PHP] Access control question
> Hi Jeff:
> On Fri, Jun 07, 2002 at 10:25:27AM -0500, Jeff Field wrote:
> >
> > Is it simply enough to just check that $_SESSION['user'] is present, and
> > therefore, by that alone assume the user has logged in and
> should be granted
> > access?  Or, should I be verifying the $_SESSION['user'] and
> > $_SESSION['pass'] against the database on every page?
> If you validate the user/pass before starting a session for the person,
> then the existence of the session itself proves the person has logged
> in.  No?  Passing/testing the password on each page is unnecessary and
> poses security risks.
> Disclaimer:  I don't use PHP's session functions for sessions.
> What I do in my system is give everyone a session.  All folks who
> haven't logged in are one user.  Once they log in, my session database
> associates their UserID with their session.  The UserID isn't checked on
> each page.  When access to a particular page needs to be limited, I
> check their permission level (which is in another field of the session
> database) to ensure they have the privileges needed to perform the
> operation.
> Enjoy,
> --Dan
> --
>                PHP classes that make web design easier
>         SQL Solution  |   Layout Solution   |  Form Solution
>  | |
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>  4015 7 Av #4AJ, Brooklyn NY     v: 718-854-0335     f: 718-854-0409
> --
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to