[thelist] php login security (was: Call html page with php)
Andrew Forsberg
andrew at thepander.co.nz
Wed Feb 20 05:25:01 CST 2002
> > who said $loginOK was a session variable??
>
> Ummm. No one, but it's one way (which I was simply suggesting) to maintain
> something resembling security. Where's the security in not checking
variable
> scope at all?
Sorry, answering my own post here:
Ben, I might have misunderstood you, do you mean that every single page
which should be limited to authorized users will require the user to enter
their information again? This might be ok if there's only one sensitive
page... if the site in question has thousands then the authorization system
should be separate from the authentication system. Each page would need:
if ($HTTP_SESSION_VARS["loginOK"]!=TRUE) {
// redirect
}
at the top, or in a generic include, to redirect unauthorized users. And
$loginOK would be registered as a session variable after authentication (you
could also use cookies, I guess).
If you're just talking about authorizing someone to view the one page
following a login, then fine, the local scope for $loginOK would be
sufficient. I must admit, it never occured to me to protect only one page /
document on a site, which is why I couldn't really understand why your
system was any better than the previous one. Apologies if this is the case.
Cheers
Andrew
More information about the thelist
mailing list