[thelist] php login security (was: Call html page with php)

Andrew Forsberg andrew at thepander.co.nz
Wed Feb 20 14:35:01 CST 2002


>One problem with authenticating once and storing the result in a session
>var is that if the admin removes access while the user is logged in, the
>user could continue to access the data until they log out or the session
>expires.

Hi Dan,

This would be a special case. If you needed a facility to dump
someone immediately then you could use either the Mohawk session
system (currently CVS only) and create a routine (e.g.:
destroy_user_session($id) ) which your access privilege system would
call when a user's access is revoked.

Mohawk from PHP:
http://www.php.net/manual/en/ref.msession.php

Or (and until the above matures, more stably) you could build a set
of custom session handling functions, save the session data to a db,
then simply clear that data in the same function the program uses to
revoke access privileges. This would be similar to ripping the pants
of a user's session... but that's more or less what the situation you
describe above requires.

Implement your own save handler for PHP sessions:
http://www.php.net/manual/en/function.session-set-save-handler.php

Ying Zhang also has a tutorial on this at phpbuilder.net:
http://phpbuilder.net/columns/ying20000602.php3

>This is more about storing the name/pass in sessions and
>confirming their status each new access than it is about passing
>name/pass back and forth.

I was disturbed by the: no sessions + reauthenticate a user on every
page. TBH, I still am disturbed by that...

Cheers
Andrew

--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/



More information about the thelist mailing list