Posted by Peter Fox on 10/23/06 18:34

Following on from laredotornado@zipmail.com's message. . .
>Your thoughts are greatly appreciated. - Dave

The _simplest_ scheme may not be the /most suitable/.

Basics:
1 Don't store the password, but a hash of it
2 Check authority to run a page on every page

The simplest scheme operates as you expect with
1 Force a login (see 3)
2 Validate login and set 'OK' flag in $_SESSION
3 Check the 'OK' flag at the top of each page and redirect to login if a
problem

In case you didn't know. You can put restricted content outside the web
root. PHP will be able to access these but browsers won't. Feed that
content into your web pages somehow and you have complete control. To
do this you might use the include directive or fopen() etc.


/webroot/phppages
/webroot/imagebits
/webroot/css
/library/phots
/library/sound
/database/mysql

All the web root directories are visible to browsers none of the others
are




--
PETER FOX Not the same since the submarine business went under
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

[Back to original message]