Best practices: Sessions - Page 2

by: Paul Booker

August 19, 2002

To gain access to this secure internet website a user has to supply a username and password in a form this then results in a php block being executed when the script actions itself :




<?php



 if(isset($_POST['submit']) ) {     // true if form has been submitted



    session_start();



      include("inhouse_functions.inc");       

          connect_database("secure_online");    // obtain access to database   





    $SQL=" SELECT security_id FROM security

 

            WHERE username='$username' AND password= '$password' ";



                                 

              $security = @mysql_query($SQL);





                 if ( mysql_num_rows($security) ) {



                     $row = mysql_fetch_array($security);  



                         $security_id = $row['security_id'];





                               $sess_security_id = $security_id ;                     

                                  session_register('sess_security_id');





                                      header("location: entry_page.php") ;

                 }



         // authorisation not successful show form again....                        

}



?>



<html>

 ..



<form action = "<? echo $PHP_SELF;?>" method="post">



     ... rest of the form to collect username,password and submit button



<type="hidden" name="submit" value=1>



</form>

</html>

All other pages on this secure internet website then can check to see that authentication has occured by checking if the primary key $sess_security_id has been registered to the session :




<?php

 if( !session_is_registered('sess_security_id') ) {



            // the security_id key is registered with the session

            // on authorisation 



      header("location: index.html ");     // send to authentication page ..



}   

?>

A nice feature here is that nothing sensitive is registered to the session and the value stored has the potential of reconstructing any security information the subsequent scripts might demand such as checking access level privileges (U,X or P) ....




<?php

$SQL=" SELECT access_level FROM security 

                

           WHERE security_id='$sess_security_id'  "; 





  $security  = mysql_query($SQL);



      $row = mysql_fetch_array($security);  





          $access_level = $row['access_level'];





             if($access_level == 'U') {



                     // content sutiable for access level U

             } ..



....

?>

« Previous Page

Comment and Contribute

0 Comments (click to add your comment)

Your comment has been submitted and is pending approval.

Author:

Paul Booker

Comment:

Name/nickname:
Email:

Comment:

(Maximum characters: 1200). You have characters left.