Kelly Hallman wrote: > On Mon, 8 Dec 2003, Chris W. Parker wrote: >> Ok so I am working on the admin sectin of the e-commerce app I'm >> writing and I'm hoping there's a better way to do what I am currently >> doing. In an effort to prevent circumvention of the login page I've >> placed a check at the beginning of each page that basically does the >> following: > ... > > In the case that this is part of a larger application, as it seems to > be, > you probably should have an include that you are doing on each hit > that > handles the user identity/authentication.. Not just for your admin > users, > but a general container for all the user-related functions. > > On that page Within that include, let's call it loguser.php, you > could write functions such as require_admin() or require_login() .. > then, call those functions on the pages that require the user to be > an admin or be logged in. The functions would determine if the > logged-in user had adequate permission, and redirect them if not. > That way, you can control this behavior from a central location--you > don't want to have to go through each page of your app and change a > URL. > > -- > Kelly Hallman > // Ultrafancy
What I've done for the CMS I've been working on for a while is I have a base class which is the core of the application, and all modules in the CMS extend from this base class. Part of this base class is a check_login() method, and I simply call this in the constructor of each module to verify login and access privelidges. This method first verifies a basic login, and assuming the login passes it then checks the user's credentials against a list of credentials which are necessary to access the different functionalities in each module, and away we go. If the login test fails, the session is destroyed and the user is sent back to the login page. Otherwise if they are attempting to access functionality to which they don't have access they get notified of this, else they proceed as normal. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
