[thelist] php login security (was: Call html page with php)

Andrew Forsberg andrew at thepander.co.nz
Wed Feb 20 14:35:01 CST 2002

>One problem with authenticating once and storing the result in a session
>var is that if the admin removes access while the user is logged in, the
>user could continue to access the data until they log out or the session

Hi Dan,

This would be a special case. If you needed a facility to dump
someone immediately then you could use either the Mohawk session
system (currently CVS only) and create a routine (e.g.:
destroy_user_session($id) ) which your access privilege system would
call when a user's access is revoked.

Mohawk from PHP:

Or (and until the above matures, more stably) you could build a set
of custom session handling functions, save the session data to a db,
then simply clear that data in the same function the program uses to
revoke access privileges. This would be similar to ripping the pants
of a user's session... but that's more or less what the situation you
describe above requires.

Implement your own save handler for PHP sessions:

Ying Zhang also has a tutorial on this at phpbuilder.net:

>This is more about storing the name/pass in sessions and
>confirming their status each new access than it is about passing
>name/pass back and forth.

I was disturbed by the: no sessions + reauthenticate a user on every
page. TBH, I still am disturbed by that...


Andrew Forsberg
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/

More information about the thelist mailing list