--- "Chris W. Parker" <[EMAIL PROTECTED]> wrote:
> In an effort to prevent circumvention of the login page I've placed
> a check at the beginning of each page that basically does the
> following:
>
> <?php
> if(loggedin())
> {
> // entire page of code goes here
> }
> else
> {
> // redirect back to login page
> }
> ?>
This is fine, assuming loggedin() does what you intend and can't be
subverted. The only risk is forgetting to add this check, since I assume
you mean that you have to copy/paste this into every script. You might
want to consider whether you can design your application in such a way
that you can have a more centralized way to enforce authorization.
The one thing I would definitely consider doing differently is the
redirect. You could, instead, just include the logic necessary for the
login page, so that you avoid the superfluous transaction.
> As far as better ways go I was thinking that maybe I could employ
> .htaccess somehow?
Yes, and you can use a database like you're wanting. There is existing
code to help you do this. However, this implements HTTP authentication,
which has the little popup window. This is fine, but some people might
perceive this as being unprofessional, so you might want to keep your
audience in mind.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
