Authentication with $_SESSION

*** deko escribió/wrote (Sun, 20 Mar 2005 01:58:55 GMT):

What is the best way to implement authentication in PHP?
"Best tool for the work". The work is not always the same ;-)
Do you simply echo html if you have a valid session?

if (validate($_SESSION[var]))
{
[echo the complete page]
}

That way users who haven't registered or logged in just see a blank page
and leave the site thinking the server is broken. You'd better redirect to
login page. Check header() and exit().
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ No envíes tu dudas a mi correo, publícalas en el grupo
-+ Do not send me your questions, post them to the group
--

"deko" <de**@hotmail.com> wrote in message
news:zN******************@newssvr14.news.prodigy.c om...

What is the best way to implement authentication in PHP?
There is no one best way. It all depends on the requirements and design of
the application. In some situations, the best way could be not to implement
authentication in PHP.
Do you simply echo html if you have a valid session?

if (validate($_SESSION[var]))
{
[echo the complete page]
}

I like to redirect to different pages depending on the outcome of the login.
My login script looks something like this:

<?

if($user = Authenticate($_POST['user'], $_POST['pass'])) {
if(Authorize($user)) {
$_SESSION['user'] = $user;
Redirect("/welcome.php");
}
else {
Redirect("/no_access.php");
}
}
else {
Redirect("/incorrect_login.php");
}

?>

At the top of all my other scripts I have something like:

RestrictAccess('read message');

The function checks the user profile stored in the session. If the user is
not authorized to perform the action in specified in the argument, then he's
redirect to the no access page. If the profile isn't even there, then he's
redirect to index.php.

Conceptually, it's useful to keep clear a distinction between authentication
and authorization. Authentication is determining whether someone is who he
claim he is. Authorization is deciding whether he can do something. The fact
that someone is authenticated should not imply that he has access.

deko wrote:

What is the best way to implement authentication in PHP?

Do you simply echo html if you have a valid session?

if (validate($_SESSION[var]))
{
[echo the complete page]
}

I'm new to this so I don't know of any other ways to do it. Are there many
other ways? Examples?

Thanks!

this is what i do, first thing:
if (validate($_SESSION[var])) {
[echo the complete page]
} else die(header("Location: $login_page_url"));

Make sure you read up on the header() function: http://www.php.net/header

--TekWiz

TekWiz wrote:

this is what i do, first thing:
if (validate($_SESSION[var])) {
[echo the complete page]
} else die(header("Location: $login_page_url"));

Make sure you read up on the header() function: http://www.php.net/header

--TekWiz

If you write it like this, you keep the code cohesive
(i means, all auth code together, application code together):

if (!validate($_SESSION[var])) die(header("Location: $login_page_url"));

[echo the complete page]

--
Nadine St-Amand
Code generator sql2php : http://www.phpbackend.com/

*** Nadine St-Amand wrote/escribió (Fri, 24 Jun 2005 01:13:31 +0000):

If you write it like this, you keep the code cohesive
(i means, all auth code together, application code together):

if (!validate($_SESSION[var])) die(header("Location: $login_page_url"));

I didn't see the original post but header() returns nothing and die()
expects a string or integer. Even if this code does work its logic is
wrong.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--