Posted by phpdevkit on 12/29/06 02:07

I struggled with this too. I wanted my customer, the owner of the
webpage, to have the ability to run utilities to maintain his page's
database but prevent anyone from even accidentally running any of the
PHP utility scripts. It was more challenging considering the owner
might run these utilities from anywhere, like a public internet cafe.

I could have used a login and password but that can be picked up
enroute since we were not using https. I finally decided to display a
simple, random puzzle that only the customer knew how to solve. If the
answer he typed matched the answer sitting on the server, a session key
was set and he was free to use any of the utilities until he closed the
browser. Anyone coming along and perhaps reviewing the URL history
(e.g., http://www....com/deleterecord.php?id=101) would get an error
message if they tried to run them.

Write me for details.

Anthony Smith wrote:
> I am looking into building a web application and one of the things I
> want to do is to make sure the user is logged in. I know I can do this
> by checking the session for a user object or something similar. Is
> there a best practice for this. Currently what I do is have each page
> include a check session include file.

[Back to original message]