Hi,
> I'm not quite sure how to do this however so I'm looking for advise to
> point me in the right direction. I suspect, that once validated via the
> login page, I need to store the users permissions in a session variable
> and then before each page loads, check to see if the page's permission
> requierments match the user requirements stored in the session's
> variable. Is this correct? Are there any security risks with this as
> this sight may one day be internet accessable. If this isn't the
> correct approach, what is?
Yes, you will need to set some session variables to hold any information
you want to check. Make sure you do not store sensitive information in
those though. In a site I just built, we are only storing the user's name,
user id number, and access level. The site then checks every 60 seconds to
see if they are idle. I track the session login times in a mysql table, and
have it do the math on how long they've been idle. This isn't really a
common method from what I've seen though, and your security requirements
might be a bit different. Our client wants the the site to log the EU out
if they've been idle for 15 minutes. Some people just let PHP time out the
session, then when they go to click on something, it boots them back to the
login page.
Just remember to check for an active session each time a secure page loads.
Otherwise you'll have people bypassing login page.
For restricting what is shown on the page, there are many methods. IF
structures, etc, just make sure are checking their access against what is
shown.
Does that help?
-Dan Joseph
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
