[thelist] php login security (was: Call html page with php)

Ben Phillips ben at inchima.com
Wed Feb 20 05:50:52 CST 2002


> Ben, I might have misunderstood you, do you mean that every single page
> which should be limited to authorized users will require the user to enter
> their information again? This might be ok if there's only one sensitive
> page... if the site in question has thousands then the
> authorization system
> should be separate from the authentication system. Each page would need:
>
> if ($HTTP_SESSION_VARS["loginOK"]!=TRUE) {
>     // redirect
> }

i was actually thinking about an include, placed on every page, that handled
sessions and login authenticity. as i said, i used this in php 3, with
custom session handling.

i think we are both arguing about the same thing here, and we are both
right.

> at the top, or in a generic include, to redirect unauthorized users. And
> $loginOK would be registered as a session variable after
> authentication (you
> could also use cookies, I guess).

cookies are possible, or passing the session id through link querystrings
and forms (get or post) before php 4 did all this for you. either way, the
login would require revalidating on each and every page, hence the $loginOK
variable is required. in fact, a website i produced, badders.com, still uses
this method as we started it in 2000. still haven't got round to changing it
yet...

> Apologies if this is
> the case.

no apologies necessary where a good discussion is involved. :o)

regards,
benji
inchima.com




More information about the thelist mailing list