[thelist] php login security (was: Call html page with php)
Andrew Forsberg
andrew at thepander.co.nz
Wed Feb 20 14:35:01 CST 2002
>One problem with authenticating once and storing the result in a session
>var is that if the admin removes access while the user is logged in, the
>user could continue to access the data until they log out or the session
>expires.
Hi Dan,
This would be a special case. If you needed a facility to dump
someone immediately then you could use either the Mohawk session
system (currently CVS only) and create a routine (e.g.:
destroy_user_session($id) ) which your access privilege system would
call when a user's access is revoked.
Mohawk from PHP:
http://www.php.net/manual/en/ref.msession.php
Or (and until the above matures, more stably) you could build a set
of custom session handling functions, save the session data to a db,
then simply clear that data in the same function the program uses to
revoke access privileges. This would be similar to ripping the pants
of a user's session... but that's more or less what the situation you
describe above requires.
Implement your own save handler for PHP sessions:
http://www.php.net/manual/en/function.session-set-save-handler.php
Ying Zhang also has a tutorial on this at phpbuilder.net:
http://phpbuilder.net/columns/ying20000602.php3
>This is more about storing the name/pass in sessions and
>confirming their status each new access than it is about passing
>name/pass back and forth.
I was disturbed by the: no sessions + reauthenticate a user on every
page. TBH, I still am disturbed by that...
Cheers
Andrew
--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/
More information about the thelist
mailing list