Ok, you all are going to have to bear with me on this one as it is
kinda complicated to explain. I am implementing a company management
suite that requires Role-Based authentiations (ie. users are in groups
and groups have roles). I have one script which is included in EVERY
page in the protected area (masterFuncs.ph p) and it contains function
declarations as well as the authentication module kick-off. Here is a
snippet from masterFuncs
<snip>
<?
require_once("$ {includeBase}co mpany/utils/cipher/crypt_class.php ");
require_once("$ {includeBase}co mpany/utils/Adodb/adodb.inc.php") ;
require_once("$ {includeBase}co mpany/security/RoleAuth.php");
require_once("$ {includeBase}_d ata/__common/pageFunctions.p hp");
$rAuth = new RoleAuth();
if( isset($_GET['logout']) && TRUE == $_GET['logout'] )
{
$rAuth->logout();
header("Locatio n: ${baseRef}compa ny/index.php?feedb ack=".urlencode ("You
Have Been Logged Out"));
}
if( count($mustHave Roles) > 0 )
{
//User is required to have ALL roles
$rAuth->requireRoles($ mustHaveRoles);
}
if( count($atLeastR oles) > 0 )
{
//User is required to have 1 role
$rAuth->requireAtLeast ($atLeastRoles) ;
}
</snip>
Then when I want to restrict a page to a subset of my users i put at
the top:
<?
$mustHaveRoles( array("userCrea te", "userEdit") );
$atLeastRoles(a rray("userView" ));
include "../masterFuncs.php "
?>
Deeply seeded within the requireAtLeast( ) and requireRole() methods is
a session_start() . The problem arises when a script has
$mustHaveRoles or $atLeastRoles set and then after the return of the
include masterFuncs.php and the roles have been validated the script
may "include" another page that may have different role requirements
set and reincludes masterFuncs.php to verify them. When it gets to
the session_start() there is no session data set and it wants you to
re-authenticate.
As a weird twist, if i substitute require_once or include_once for the
include directive everything works...however i don't think that the
second role requirements are enforced because it does not re-evaluate
the script. Ideas??
Thanks in advance,
Sean Pinto