 |
 |
 |
 |
|
|
|
Best Practices: Sessions
To gain access to this secure internet website a user has to supply a username and password in a form
this then results in a php block being executed when the script actions itself :
<?php
if(isset($_POST['submit']) ) { // true if form has been submitted
session_start();
include("inhouse_functions.inc");
connect_database("secure_online"); // obtain access to database
$SQL=" SELECT security_id FROM security
WHERE username='$username' AND password= '$password' ";
$security = @mysql_query($SQL);
if ( mysql_num_rows($security) ) {
$row = mysql_fetch_array($security);
$security_id = $row['security_id'];
$sess_security_id = $security_id ;
session_register('sess_security_id');
header("location: entry_page.php") ;
}
// authorisation not successful show form again....
}
?>
<html>
..
<form action = "<? echo $PHP_SELF;?>" method="post">
... rest of the form to collect username,password and submit button
<type="hidden" name="submit" value=1>
</form>
</html>
All other pages on this secure internet website then can check to see that authentication has
occured by checking if the primary key $sess_security_id has been registered to the session :
<?php
if( !session_is_registered('sess_security_id') ) {
// the security_id key is registered with the session
// on authorisation
header("location: index.html "); // send to authentication page ..
}
?>
A nice feature here is that nothing sensitive is registered to the session and the value stored
has the potential of reconstructing any security information the subsequent scripts might demand such
as checking access level privileges (U,X or P) ....
<?php
$SQL=" SELECT access_level FROM security
WHERE security_id='$sess_security_id' ";
$security = mysql_query($SQL);
$row = mysql_fetch_array($security);
$access_level = $row['access_level'];
if($access_level == 'U') {
// content sutiable for access level U
} ..
....
?>
| Comments: | ||
| Rating | Lyubomir Gardev | 06/04/08 03:13 |
| RE: Don't get out of php mode | Falk Koziol | 10/06/05 19:13 |
| RE: "Orientated" is not a word. | Vic Fryzel | 02/18/03 22:42 |
| RE: "Orientated" is not a word. | Ted Pennings | 02/08/03 22:48 |
| what is phpbuilder | Gey | 11/03/02 11:06 |
| RE: "Orientated" is not a word. | TrueBrit | 10/29/02 07:06 |
| tact. | manar | 10/27/02 07:27 |
| RE: "Orientated" is not a word. | richard | 10/25/02 05:02 |
| RE: "Orientated" IS a word in the UK | King_Dip_Shit | 10/17/02 15:22 |
| RE: "Orientated" IS a word in the UK | Rod Tatham | 10/07/02 03:16 |
| Enter in RAD, Ala CORBA or otherwise.. | Joe | 10/07/02 02:47 |
| RE: "Orientated" is not a word. | Matt Helmick | 10/04/02 19:24 |
| RE: Don't get out of php mode | rickman | 10/04/02 14:23 |
| RE: "Orientated" is not a word. | John Adair | 10/03/02 01:07 |
| Lets not hold a kangeroo court over a word. | chris c | 10/02/02 05:59 |
| Objects in a session? | Eric | 09/17/02 01:20 |
| RE: "Orientated" is not a word. | Paul_C | 09/12/02 07:59 |
| Don't get out of php mode | Matteo Vaccari | 09/09/02 02:52 |
| RE: "Orientated" is not a word. | Peter Normann | 08/22/02 00:57 |
| RE: "Orientated" is not a word. | ffm | 08/21/02 23:37 |
| RE: Password Storage | Harry Fuecks | 08/21/02 18:38 |
| Furthermore... | Harry Fuecks | 08/21/02 18:19 |
| This is NOT secure... | Harry Fuecks | 08/21/02 17:59 |
| RE: "Orientated" is not a word. | paul | 08/20/02 12:25 |
| RE: "Orientated" is not a word. | Toby | 08/20/02 09:38 |
| RE: "Orientated" is not a word. | I Disagree | 08/16/02 22:46 |
| RE: Password Storage | Rodney Johnson | 08/15/02 15:14 |
| RE: Maintaining state | Rodney Johnson | 08/15/02 14:30 |
| RE: "Orientated" is not a word. | David Boerwinkle | 08/13/02 14:12 |
| RE: Password Storage | joe | 08/11/02 22:15 |
| RE: Password Storage | Auke van Slooten | 08/11/02 06:50 |
| RE: "Orientated" is not a word. | jaydee | 08/11/02 04:40 |
| RE: Password Storage | jaydee | 08/11/02 04:34 |
| RE: Maintaining state | paulsbooker | 08/10/02 18:55 |
| RE: Password Storage | BDKR | 08/08/02 17:03 |
| RE: Maintaining state | Rodney Johnson | 08/06/02 04:43 |
| RE: Session Variables OR repeated DB queries | Rodney Johnson | 08/06/02 04:39 |
| RE: "Orientated" is not a word. | paulsbooker | 08/06/02 03:41 |
| RE: "Orientated" is not a word. | Mark | 08/05/02 19:28 |
| RE: Session Variables OR repeated DB queries | Sam Barnum | 08/05/02 18:48 |
| RE: Session Variables OR repeated DB queries | paulsbooker | 08/05/02 12:17 |
| RE: "Orientated" is not a word. | Steve Eley | 08/05/02 09:59 |
| RE: Maintaining state | paulsbooker | 08/02/02 17:25 |
| Session Variables OR repeated DB queries | mbaweb | 08/02/02 17:07 |
| RE: "Orientated" is not a word. | paulsbooker | 08/02/02 13:55 |
| RE: Encapsulate with object | paulsbooker | 08/02/02 13:45 |
| RE: Questions... | paulsbooker | 08/02/02 13:36 |
| RE: Password Storage | Uchendu | 08/01/02 17:19 |
| RE: Error Handling | paulsbooker | 08/01/02 05:06 |
| RE: "Orientated" is not a word. | paulsbooker | 08/01/02 03:00 |
| Maintaining state | David Boerwinkle | 07/31/02 14:28 |
| "Orientated" is not a word. | Steve Eley | 07/31/02 14:28 |
| just a typos | hucker | 07/31/02 10:52 |
| Password Storage | Will Green | 07/30/02 18:33 |
| Encapsulate with object | Bryan Alsdorf | 07/30/02 12:43 |
| Questions... | Yuriy Horobey | 07/30/02 10:52 |
| Error Handling | kyboshed | 07/30/02 07:44 |
| Passwords | Sebbi | 07/30/02 06:43 |
|
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly. | ||
