"deko" <de**@hotmail.com> wrote in message
news:zN******************@newssvr14.news.prodigy.c om...
What is the best way to implement authentication in PHP?
There is no one best way. It all depends on the requirements and design of
the application. In some situations, the best way could be not to implement
authentication in PHP.
Do you simply echo html if you have a valid session?
if (validate($_SESSION[var]))
{
[echo the complete page]
}
I like to redirect to different pages depending on the outcome of the login.
My login script looks something like this:
<?
if($user = Authenticate($_POST['user'], $_POST['pass'])) {
if(Authorize($user)) {
$_SESSION['user'] = $user;
Redirect("/welcome.php");
}
else {
Redirect("/no_access.php");
}
}
else {
Redirect("/incorrect_login.php");
}
?>
At the top of all my other scripts I have something like:
RestrictAccess('read message');
The function checks the user profile stored in the session. If the user is
not authorized to perform the action in specified in the argument, then he's
redirect to the no access page. If the profile isn't even there, then he's
redirect to index.php.
Conceptually, it's useful to keep clear a distinction between authentication
and authorization. Authentication is determining whether someone is who he
claim he is. Authorization is deciding whether he can do something. The fact
that someone is authenticated should not imply that he has access.