PHPBuilder - Best practices: Sessions Page 2



RSS Twitter
Articles Application Architecture

Best practices: Sessions - Page 2

by: Paul Booker
|
August 19, 2002

To gain access to this secure internet website a user has to supply a username and password in a form this then results in a php block being executed when the script actions itself :

<?php

 
if(isset($_POST['submit']) ) {     // true if form has been submitted

    
session_start();

      include(
"inhouse_functions.inc");       
          
connect_database("secure_online");    // obtain access to database   


    
$SQL=" SELECT security_id FROM security
 
            WHERE username='$username' AND password= '$password' "
;

                                 
              
$security = @mysql_query($SQL);


                 if ( 
mysql_num_rows($security) ) {

                     
$row mysql_fetch_array($security);  

                         
$security_id $row['security_id'];


                               
$sess_security_id $security_id ;                     
                                  
session_register('sess_security_id');


                                      
header("location: entry_page.php") ;
                 }

         
// authorisation not successful show form again....                        
}

?>

<html>
 ..

<form action = "<? echo $PHP_SELF;?>" method="post">

     ... rest of the form to collect username,password and submit button

<type="hidden" name="submit" value=1>

</form>
</html>
All other pages on this secure internet website then can check to see that authentication has occured by checking if the primary key $sess_security_id has been registered to the session :

<?php
 
if( !session_is_registered('sess_security_id') ) {

            
// the security_id key is registered with the session
            // on authorisation 

      
header("location: index.html ");     // send to authentication page ..

}   
?>
A nice feature here is that nothing sensitive is registered to the session and the value stored has the potential of reconstructing any security information the subsequent scripts might demand such as checking access level privileges (U,X or P) ....

<?php
$SQL
=" SELECT access_level FROM security 
                
           WHERE security_id='$sess_security_id'  "



  
$security  mysql_query($SQL);

      
$row mysql_fetch_array($security);  


          
$access_level $row['access_level'];


             if(
$access_level == 'U') {

                     
// content sutiable for access level U
             
} ..

....
?>

« Previous Page
1
|
2
|
3
|
4
Next Page »

Comment and Contribute

Your comment has been submitted and is pending approval.

Author:
Paul Booker

Comment:



Comment:

(Maximum characters: 1200). You have characters left.