Better control of site content and access
By Red Squirrel
So here is a way to handle logins, and as well as manage who has access to what. Remember that $module holds the value of the page requested, and we have access to this variable even though we are in a different file, because it is included after.
1: In most cases this information would be in a database, but for the sake of this tutorial, everything is static variables to make it easier to follow, and to avoid the need to look in a database. These 2 variables hold the username and password for a user account, in this case "root" with a password of "password". We store the password in MD5 for extra security.
2: These variables would also be in a database in most cases, usually in the same entry as each user. These hold the various permissions for each page, for each user. Never use this method in a real-life situation as it could get nasty...
3: Now that the "database" is loaded, we now check to see what user is logged in, by fetching the cookies. The user cookie would hold the username, and the password cookie would hold the MD5 string for the password.
4: If the user clicked the logout button (leading to index.php?authact=logout) then we run this "if" statement.
4.1: First we clear the cookie by replacing it with a blank one that expires in the past (and will be deleted)
4.2: We clear $loggedin vars, which are used in #6 to determine what user is logged in
5: This if statement only get's executed if a user has hit the "login" button on the login form containing a textbox called "user" and textbox called "pass".
5.1: this nested if statement checks to see if the entered information matches with the "database" otherwise we go to 5.5 which is an error saying it's the wrong username/password.
5.2: We set the cookie so that the session is remembered for a year (the current time + 365*24*60*60 seconds)
5.3: We then assign the correct permission data to the $user var which can be used throughout the modules to decide if a user has permission to do something.
5.4: We set the $loggedin vars to the correct information
(now out of both if statements)
6: This is where the $loggedin vars come in handy, we check to see if they are valid.
6.1: If root is logged in, then we assign the root's information to the $user var
6.2: Otherwise we assign the guest info instead.
6.3: Then we check if the wanted module (remember the $module variable in index.php?) is accessable by that user. If it's not, we replace the $module var with "login" so that when index.php continues it's stuff, it will load the login module instead of the wanted module.
Lost yet? Good. Since we're pretty much done. The rest of the code involved such as the header and footer is not really new code if you read our beginner php guides so I won't explain any of it, and most of it is html anyway and varies depending on the site. In this example we kept the html low end to concentrate on the engine which is index.php and auth.php.
If you want to see a working version of this script you can view or download it. It will also give you an idea of the directory structure, and contains the same comments as the ones used in this tutorial.
Oh and another thing, there's a small mistake in that code that I meant to put there (ok ok, so I did not really mean to, but decided to leave it there). It's not really a mistake, but rather unnecessary code. The mistake is at comment 5.3 Notice how we give $user the info, but we do the same on comment 6.2! This won't break anything, but it's simply a line of code that is not needed, so it can be removed.
When programming scripts/engines that consists of many documents, silly mistakes like these are possible and can impact performance on a large scale. So it's always good to try and notice these things since they can be harder to find.
On the next page, we'll take a look at a script I use for security here at Iceteks, well the login part of it.
This site best viewed in a W3C standard browser at 800*600 or higher
Site design by Red Squirrel | Contact
© Copyright 2019 Ryan Auclair/IceTeks, All rights reserved