By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,812 Members | 863 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,812 IT Pros & Developers. It's quick & easy.

User Authentication and Sessions

P: n/a
I want to build a secure user authentication page that uses mySQL to
verify user, password, and access rights, where admins see everything
and full acess, while others see only links and pages their 'group' has
access to.

I am pretty new to PHP and this will be a great learning project, so
any guidance on where to start would be welcome. I am looking at a few
tutoriqals now, but most of them seem to focus on protecting a whole
site or single page, I want the entire thing to be displayed
dynamically depending on access rights. A good tutorial and a push in
the right direction would be just about perfect.

Hope I provided enough info, I will more thanlikely pick your brains
again :-), thanks
Jonnie

Mar 24 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a
A few examples to get you started:

At login screen:

.... ($uname and $upass from a <form>)...

$query="SELECT user_id, user_status FROM users WHERE
user_name='$uname' AND
password='$upass'";
$result=mysql_query($query);
if($result) {
if ( mysql_num_rows($result) == 0 ) {
$err[]='Username or password is incorrect.';
} else {
$row=mysql_fetch_array($result, MYSQL_ASSOC); // get status
session_start(); // send seession_id cookie to user
$_SESSION['username'] = $uname;
$status = $row[ 0 ];
$_SESSION['status'] = $status;
$url='http://' . $_SERVER['HTTP_HOST'] .
dirname($_SERVER['PHP_SELF']);
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\')){
$url = substr($url,0,-1); // Get full pathname
}
$url .= '/index.php'; // go back to index page, now logged in
header("location: $url"); // bail out to the redirect page
exit(); // and stop executing this script
......

At top of page that requires a certain level to view:
Ever page now has access to the user's status via the $_SESSION array.

session_start(); // send session_id cookie to user
if(isset($_SESSION['username'])) {
$uname=$_SESSION['username'];
$ustatus= $_SESSION['status'];
} else {
$ustatus=0;
if ( $ustatus >= $this_page_level ) { // some minimum status level to
view this page
// required to be logged in and with status high enough to
// view this screen. If not redirect to another page
$url='http://' . $_SERVER['HTTP_HOST'] .
dirname($_SERVER['PHP_SELF']);
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\')){
$url = substr($url,0,-1); // Get full pathname
}
$url .= '/login.php?'; // redirect, for example, to the login page
header("location: $url"); // bail out to the redirect page
mysql_close();
exit(); // and stop executing this script
}

Or, if you simply want a link to be invisible when the users status is
not high enough:

if ($ustatus >= $min_status)
echo '<a href="someplace.php">You can't see me.</a>';

--gary

Mar 24 '06 #2

P: n/a
Jonnie wrote:
I want to build a secure user authentication page that uses mySQL to
verify user, password, and access rights, where admins see everything
and full acess, while others see only links and pages their 'group' has
access to.

I am pretty new to PHP and this will be a great learning project, so
any guidance on where to start would be welcome. I am looking at a few
tutoriqals now, but most of them seem to focus on protecting a whole
site or single page, I want the entire thing to be displayed
dynamically depending on access rights. A good tutorial and a push in
the right direction would be just about perfect.

Hope I provided enough info, I will more thanlikely pick your brains
again :-), thanks
Jonnie


Or simply use mod_auth_mysql from www.sourceforge.net.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Mar 25 '06 #3

P: n/a
Jonnie wrote:
I want to build a secure user authentication page that uses mySQL to
verify user, password, and access rights, where admins see everything
and full acess, while others see only links and pages their 'group' has
access to.

<snip>

Possibly
1. <news:11**********************@z14g2000cwz.googleg roups.com> (
http://groups.google.com/group/comp....0fad0eef59415a )
2. http://phpgacl.sourceforge.net/

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Mar 25 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.