[thelist] PHP / MySQL User Login System

[Andrew Forsberg]

>  > Do you have a generic header included on each page? This would be
>>  really easy if that's the case! If not, then it's only one include,
>  > and one function call at the top of each non-home page file...
>
>Well...I don't think so. I mean, each user will have a directory that they
>will be able to access. I am not sure how to handle this is a generic
>header. Well...I guess I can just check the session variable, if it is TRUE
>then do nothing, if it isn't, redirect to a login page. So, if it is a
>generic header, how can it be easy....I mean it's easy but I have to include
>the code at the top of each page. Is there a way to mimic the Apache model
>where you specify the access requirements on the directory level?

Say you have: a client called 'bigbucks'; their absolute directory is
/home/yourstagingserver/bigbucks; their web directory is
http://your.site.com/bigbucks/; the authentication system compares
the username, password against a DB / flat file, and returns an array
of accounts (or perhaps just a string if it's only possible to login
to one account). At the head of every file in every protected
directory you could have:

require('/incs/authenticate.php');

in that file you could have something like:

// do your session stuff first

$account_attempt = explode("/", $REQUEST_URI);
if ($PHP_SESSION_VARS["account"] != $account_attempt[1]) {
     header ("Location: http://your.site.com/");
     exit();
}

The explode returns an array where $account_attempt[1] holds the
string with the directory they're attempting to access (in this
example 'bigbucks') which needs to be the same as the account they're
registered to access ($account_attempt[2] will hold a sub directory,
$account_attempt[0] will be empty). If the two don't match then
they're redirected and nothing further is processed on your protected
page. If they match then the authenticate.php program is finished and
the rest of your program in the /bigbucks/ directory is executed.

If multiple accounts are possible for a single user then you'll want
to alter the $PHP_SESSION_VARS["account"] line accordingly.

>When you click on one of the items in the directory, it just calls
>HomePage.php4 again, but with a variable named "content" appended like:
>HomePage.php4?content=page1.html. Since the "content" variable is defined,
>this time the HomePage.php4 doesn't display the directory, but instead opens
>the file "page1.html" from the users subdirectory and streams it to the
>browser unaltered. In this way, the login status is being checked every
>time, but the pages to be viewed don't have to be modified. Then we just
>lock the user subdirectory from direct browser access. Is this crazy?

Not really crazy... just a lot of work for you, and it means each
time you add a new account you have to remember -- gosh, I have to
protect that directory from public access. Much easier just to use
the above system, and add a new user / pass / account entry into your
database / file. But, that's your call. :)

At 7:48 PM -0800 27/2/02, Jake Aust wrote:
>Cool! That's what I'm talking about.
>
>Now...do the "includes" have to be php files or can they be just .html
>files?

They are html files which can contain further php scripts. If they're
php files then you'll need to make sure they start with <?php and end
with ?> as they're opened as html files.

The docs for include / require are here:

http://www.php.net/manual/en/function.include.php
http://www.php.net/manual/en/function.require.php

include_once() and require_once() you might find useful if you use
OOP PHP programming (or anywhere else when you don't want the file to
get processed twice in one program).

HTH
Andrew

--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/