Login with multiple sessions
Manu Zuzu
In advance sorry to bother all you coders with my ignorant questions,
but I am a complete noob in PHP.
What I want is actually fairly simple. A simple website with a login
system and levels of membership.
Meaning the website has part A, B and C. A status members can only go
into the A part, B status in A and B, C status in A B and C.
If an A member goes into a C page it shows a sorry page saying their
membership does not allow to view the page.
This can I think all be set up with some standard scripts, still I
hope I can manage.
The next thing is that I only want it viewed by a certain agent. Lets
say Firefox by example.
That would also be a simple script line I can add on each page
allowing only a simple user agent.
Now we come to the difficult part that I will not be able to figure
out:
After login I want to redirect them to a certain session url that will
be available for by example 24 hours after login, unless the user logs
out (I also want to let them use a password to log out).
Lets say the url would be http://www.mydomain.com/index.php?page=1&session=adfwiu30edjd
This url I want to be available to for instance 5 sessions. Meaning if
I am looking into this url as an A member, I can forward this url to 4
other friends (in completely different locations) who if they use
Firefox can view this pages logged in as me without even logging in.
If friend number 5 goes to that url he will get a special page (sorry
to many users) as that is person nr 6 starting a session and there are
already 5 active. The sessions also have to have a timeout as if one
person stops looking person nr 6 should have access.
My questions for this are, does anyone know a basic open source login
system that I can download and use for this and can you put me in the
right direction for implementing the functions I want?
I am sorry if it all seems very confusing so feel free to ask
questions!
And not to forget thank you all in advance for reading and answering!
Manu
Jeff North
<manuzu...@gmail.com>
<3effe5af-a3f5-4cb4...@b4g2000pra.googlegroups.com>
wrote:
>| Hello all,
>|
>| In advance sorry to bother all you coders with my ignorant questions,
>| but I am a complete noob in PHP.
>|
>| What I want is actually fairly simple. A simple website with a login
>| system and levels of membership.
>| Meaning the website has part A, B and C. A status members can only go
>| into the A part, B status in A and B, C status in A B and C.
>| If an A member goes into a C page it shows a sorry page saying their
>| membership does not allow to view the page.
This is pretty standard. Set your session value to 1,2 or 3 - (zero
being that the person hasn't logged in).
You can then set menus according to access levels i.e.
<?php if($_SESSION['level']=1) echo "menu1" ?>
menu 2
menu 3
<?php if($_SESSION['level']<=2) echo "menu4" ?>
<?php if($_SESSION['level']<=3) echo "menu5" ?>
This way the lower levels never get to see the menu options and
therefore wouldn't know if the pages existed or not.
>| This can I think all be set up with some standard scripts, still I
>| hope I can manage.
>|
>| The next thing is that I only want it viewed by a certain agent. Lets
>| say Firefox by example.
>| That would also be a simple script line I can add on each page
>| allowing only a simple user agent.
Bad idea. In Opera and Safari I can set the user-agent string to that
of another browser. How would you handle that situation?
>| Now we come to the difficult part that I will not be able to figure
>| out:
>| After login I want to redirect them to a certain session url that will
>| be available for by example 24 hours after login, unless the user logs
>| out (I also want to let them use a password to log out).
>| Lets say the url would be http://www.mydomain.com/index.php?page=1&session=adfwiu30edjd
That is not standard behavior. People are use to clicking the log out
button or simply closing the browser window. I doubt if you will get
anyone entering a password to log out.
The session id is unique to each visitor.
Gordon Burditt
>being that the person hasn't logged in).
>
>You can then set menus according to access levels i.e.
><?php if($_SESSION['level']=1) echo "menu1" ?>
>menu 2
>menu 3
><?php if($_SESSION['level']<=2) echo "menu4" ?>
><?php if($_SESSION['level']<=3) echo "menu5" ?>
>This way the lower levels never get to see the menu options and
>therefore wouldn't know if the pages existed or not.
Security by obscurity doesn't work.
The lower levels never get to see the menu options and therefore
they will have to click on the links posted by C-level members to
get to them, or guess them because you used obvious naming for them.
Not showing options that can't be used may be viewed as either (1)
user-friendly or (2) a missed opportunity to upsell users to a
higher class membership. In any case, if that's all the security
you use, it's about as effective for security as the "Bank Employees
only in Vault" sign on the broken screen door to the back door of
the vault. It may be useful to not show options that aren't usable,
but don't mistake that for security.
The Natural Philosopher
>> This is pretty standard. Set your session value to 1,2 or 3 - (zero
>> being that the person hasn't logged in).
>>
>> You can then set menus according to access levels i.e.
>> <?php if($_SESSION['level']=1) echo "menu1" ?>
>> menu 2
>> menu 3
>> <?php if($_SESSION['level']<=2) echo "menu4" ?>
>> <?php if($_SESSION['level']<=3) echo "menu5" ?>
>
>> This way the lower levels never get to see the menu options and
>> therefore wouldn't know if the pages existed or not.
>
> Security by obscurity doesn't work.
>
>
Tell that to the military spread spectrum boys then ;-)
They will be VERY disappointed to hear it..
Jeff North
gordon...@burditt.org (Gordon Burditt)
<rrqdnTaw35NeisLR...@posted.internetamerica> wrote:
>| >This is pretty standard. Set your session value to 1,2 or 3 - (zero
>| >being that the person hasn't logged in).
>| >
>| >You can then set menus according to access levels i.e.
>| ><?php if($_SESSION['level']=1) echo "menu1" ?>
>| >menu 2
>| >menu 3
>| ><?php if($_SESSION['level']<=2) echo "menu4" ?>
>| ><?php if($_SESSION['level']<=3) echo "menu5" ?>
>|
>| >This way the lower levels never get to see the menu options and
>| >therefore wouldn't know if the pages existed or not.
>|
>| Security by obscurity doesn't work.
Who said anything about security?
>| The lower levels never get to see the menu options and therefore
>| they will have to click on the links posted by C-level members to
>| get to them, or guess them because you used obvious naming for them.
You assume that all visitors to the site are knowledgeable in html.
>| Not showing options that can't be used may be viewed as either (1)
>| user-friendly or (2) a missed opportunity to upsell users to a
>| higher class membership.
I was looking at the problem more from a user-friendly point of view.
You point about up selling needs to be considered but the structure I
offered is still capable of doing this i.e.
<?php if($_SESSION['level']==1) echo "menu1" else echo "upsellMenu1"?>
menu 2
menu 3
<?php if($_SESSION['level']<=2) echo "menu4" else echo "upsellMenu4"?>
<?php if($_SESSION['level']<=3) echo "menu5" else echo "upsellMenu5"?>
But that is a design decision that the OP will have to make.
>| In any case, if that's all the security
>| you use, it's about as effective for security as the "Bank Employees
>| only in Vault" sign on the broken screen door to the back door of
>| the vault. It may be useful to not show options that aren't usable,
>| but don't mistake that for security.
I didn't.
Captain Paralytic
> Hello all,
>
> In advance sorry to bother all you coders with my ignorant questions,
> but I am a complete noob in PHP.
>
> What I want is actually fairly simple. A simple website with a login
> system and levels of membership.
> Meaning the website has part A, B and C. A status members can only go
> into the A part, B status in A and B, C status in A B and C.
> If an A member goes into a C page it shows a sorry page saying their
> membership does not allow to view the page.
>
> This can I think all be set up with some standard scripts, still I
> hope I can manage.
>
> The next thing is that I only want it viewed by a certain agent. Lets
> say Firefox by example.
> That would also be a simple script line I can add on each page
> allowing only a simple user agent.
>
> Now we come to the difficult part that I will not be able to figure
> out:
> After login I want to redirect them to a certain session url that will
> be available for by example 24 hours after login, unless the user logs
> out (I also want to let them use a password to log out).
>
> This url I want to be available to for instance 5 sessions. Meaning if
> I am looking into this url as an A member, I can forward this url to 4
> other friends (in completely different locations) who if they use
> Firefox can view this pages logged in as me without even logging in.
> If friend number 5 goes to that url he will get a special page (sorry
> to many users) as that is person nr 6 starting a session and there are
> already 5 active. The sessions also have to have a timeout as if one
> person stops looking person nr 6 should have access.
>
> My questions for this are, does anyone know a basic open source login
> system that I can download and use for this and can you put me in the
> right direction for implementing the functions I want?
>
> I am sorry if it all seems very confusing so feel free to ask
> questions!
> And not to forget thank you all in advance for reading and answering!
>
> Manu
Just install a CMS (e.g. Joomla), then it's all done for you already.
Gordon Burditt
>>| >being that the person hasn't logged in).
>>| >
>>| >You can then set menus according to access levels i.e.
>>| ><?php if($_SESSION['level']=1) echo "menu1" ?>
>>| >menu 2
>>| >menu 3
>>| ><?php if($_SESSION['level']<=2) echo "menu4" ?>
>>| ><?php if($_SESSION['level']<=3) echo "menu5" ?>
>>|
>>| >This way the lower levels never get to see the menu options and
>>| >therefore wouldn't know if the pages existed or not.
>>|
>>| Security by obscurity doesn't work.
>
>Who said anything about security?
The OP asked for a login system that would prevent certain-class
members from seeing certain pages. It sounds like he's asking for
security to me. The above was proposed as a solution.
>>| The lower levels never get to see the menu options and therefore
>>| they will have to click on the links posted by C-level members to
>>| get to them, or guess them because you used obvious naming for them.
>
>You assume that all visitors to the site are knowledgeable in html.
No, I assume that at least *ONE* C-level member knows how to copy
links into a USENET posting, web site, blog, or whatever (perhaps
Google will do it for him), and lower-level members know how to
click on them.
Jerry Stuckle
>>> | >This is pretty standard. Set your session value to 1,2 or 3 - (zero
>>> | >being that the person hasn't logged in).
>>> | >
>>> | >You can then set menus according to access levels i.e.
>>> | ><?php if($_SESSION['level']=1) echo "menu1" ?>
>>> | >menu 2
>>> | >menu 3
>>> | ><?php if($_SESSION['level']<=2) echo "menu4" ?>
>>> | ><?php if($_SESSION['level']<=3) echo "menu5" ?>
>>> |
>>> | >This way the lower levels never get to see the menu options and
>>> | >therefore wouldn't know if the pages existed or not.
>>> |
>>> | Security by obscurity doesn't work.
>> Who said anything about security?
>
> The OP asked for a login system that would prevent certain-class
> members from seeing certain pages. It sounds like he's asking for
> security to me. The above was proposed as a solution.
>
>>> | The lower levels never get to see the menu options and therefore
>>> | they will have to click on the links posted by C-level members to
>>> | get to them, or guess them because you used obvious naming for them.
>> You assume that all visitors to the site are knowledgeable in html.
>
> No, I assume that at least *ONE* C-level member knows how to copy
> links into a USENET posting, web site, blog, or whatever (perhaps
> Google will do it for him), and lower-level members know how to
> click on them.
>
You're right, Gordon. And in addition, as soon as the users figure out
the only "security" is "obscurity", a bunch of friends will pool their
finances so one of them can get the "C" level, and will pass the links
on to everyone else.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================
Jeff North
gordon...@burditt.org (Gordon Burditt)
<5sSdnY4M7J5kWf3R...@posted.internetamerica> wrote:
>| >>| >This is pretty standard. Set your session value to 1,2 or 3 - (zero
>| >>| >being that the person hasn't logged in).
>| >>| >
>| >>| >You can then set menus according to access levels i.e.
>| >>| ><?php if($_SESSION['level']=1) echo "menu1" ?>
>| >>| >menu 2
>| >>| >menu 3
>| >>| ><?php if($_SESSION['level']<=2) echo "menu4" ?>
>| >>| ><?php if($_SESSION['level']<=3) echo "menu5" ?>
>| >>|
>| >>| >This way the lower levels never get to see the menu options and
>| >>| >therefore wouldn't know if the pages existed or not.
>| >>|
>| >>| Security by obscurity doesn't work.
>| >
>| >Who said anything about security?
>|
>| The OP asked for a login system that would prevent certain-class
>| members from seeing certain pages. It sounds like he's asking for
>| security to me. The above was proposed as a solution.
That is not security it is only restricting access to certain areas.
If you are so hung up on security why don't you respond to the area
where the OP wants to share the session id with 5 other users/friends.
>| >>| The lower levels never get to see the menu options and therefore
>| >>| they will have to click on the links posted by C-level members to
>| >>| get to them, or guess them because you used obvious naming for them.
>| >
>| >You assume that all visitors to the site are knowledgeable in html.
>|
>| No, I assume that at least *ONE* C-level member knows how to copy
>| links into a USENET posting, web site, blog, or whatever (perhaps
>| Google will do it for him), and lower-level members know how to
>| click on them.
Thank you for shooting yourself in the foot.
I gave an *example* of a menu structure that *could* be used.
Nowhere did I post code that could appear on the 'restricted' pages.
Thankyou for pointing out that the OP has allot more things to
consider i.e. search engine indexing the site and publishing
'restricted' pages links.
Now be a helpful little chappy and supply some information to the OP
about security measures that need to be put into place.
[snip 2 end]
Curtis Dyer
> On Mon, 09 Aug 2010 22:18:17 -0500, in comp.lang.php
> gordon...@burditt.org (Gordon Burditt)
> <5sSdnY4M7J5kWf3R...@posted.internetamerica> wrote:
>
>>| >>| >This is pretty standard. Set your session value to 1,2 or
>>| >>| >3 - (zero being that the person hasn't logged in).
<snip>
>>| >>| Security by obscurity doesn't work.
>>| >
>>| >Who said anything about security?
>>|
>>| The OP asked for a login system that would prevent
>>| certain-class members from seeing certain pages. It sounds
>>| like he's asking for security to me. The above was proposed
>>| as a solution.
>
> That is not security it is only restricting access to certain
> areas.
How is this not related to security?
<snip>
>>| >>| The lower levels never get to see the menu options and
>>| >>| therefore they will have to click on the links posted by
>>| >>| C-level members to get to them, or guess them because you
>>| >>| used obvious naming for them.
>>| >
>>| >You assume that all visitors to the site are knowledgeable in
>>| >html.
It's best to plan for crackers. I try to keep in mind there are
always malicious users out there much smarter than I am.
>>| No, I assume that at least *ONE* C-level member knows how to
>>| copy links into a USENET posting, web site, blog, or whatever
>>| (perhaps Google will do it for him), and lower-level members
>>| know how to click on them.
>
> Thank you for shooting yourself in the foot.
Huh?
> I gave an *example* of a menu structure that *could* be used.
> Nowhere did I post code that could appear on the 'restricted'
> pages.
The point is that your approach doesn't take appropriate measures
for keeping lower-level members out of higher-level areas. What's
wrong with pointing out the weakness of your approach?
> Thankyou for pointing out that the OP has allot more
> things to consider i.e. search engine indexing the site and
> publishing 'restricted' pages links.
>
> Now be a helpful little chappy and supply some information to
> the OP about security measures that need to be put into place.
It seems to me Gordon already has. In any case, I'd probably keep
users' access levels stored in a database. For each request, the
users' permissions can be checked against access levels for the
current document being requested. This avoids relying on
authentication via sessions.
> [snip 2 end]
--
Curtis Dyer
<?$x='<?$x=%c%s%c;printf($x,39,$x,39);?>';printf($x,39,$x,39);?>
Erwin Moller
> It seems to me Gordon already has. In any case, I'd probably keep
> users' access levels stored in a database. For each request, the
> users' permissions can be checked against access levels for the
> current document being requested. This avoids relying on
> authentication via sessions.
>
Hi Curtis,
You say that you store users permissions in a database as opposed in a
session. What good would that do?
How do you check users permission in a database without using a session
to store at least something like a userid?
Could you elaborate a little more?
Regards,
Erwin Moller
--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
Curtis Dyer
<Since_humans_read_this...@spamyourself.com>
wrote:
> On 8/13/2010 12:40 AM, Curtis Dyer wrote:
>
>> It seems to me Gordon already has. In any case, I'd probably
>> keep users' access levels stored in a database. For each
>> request, the users' permissions can be checked against access
>> levels for the current document being requested. This avoids
>> relying on authentication via sessions.
>
> Hi Curtis,
>
> You say that you store users permissions in a database as
> opposed in a session. What good would that do?
I just find that it's more versatile in the long run.
But, for whatever reason, when I was writing that post, I was
thinking about the behavior of cookies as opposed to sessions--I'm
really not sure why. I guess I was having a really bad "off day".
> How do you check users permission in a database without using a
> session to store at least something like a userid?
>
> Could you elaborate a little more?
Sorry, I didn't mean to imply that you wouldn't need sessions at
all. As long as you use the session to identify the user, you can
look up their permissions in the database.
Jeff North
<dye...@gmail.com>
<i41t8m$56s$1...@news.eternal-september.org> wrote:
>| Jeff North <jnor...@yahoo.com.au> wrote:
>|
>| > On Mon, 09 Aug 2010 22:18:17 -0500, in comp.lang.php
>| > gordon...@burditt.org (Gordon Burditt)
>| > <5sSdnY4M7J5kWf3R...@posted.internetamerica> wrote:
>| >
>| >>| >>| >This is pretty standard. Set your session value to 1,2 or
>| >>| >>| >3 - (zero being that the person hasn't logged in).
>|
>| <snip>
>|
>| >>| >>| Security by obscurity doesn't work.
>| >>| >
>| >>| >Who said anything about security?
>| >>|
>| >>| The OP asked for a login system that would prevent
>| >>| certain-class members from seeing certain pages. It sounds
>| >>| like he's asking for security to me. The above was proposed
>| >>| as a solution.
>| >
>| > That is not security it is only restricting access to certain
>| > areas.
>|
>| How is this not related to security?
[snip]
>| > I gave an *example* of a menu structure that *could* be used.
>| > Nowhere did I post code that could appear on the 'restricted'
>| > pages.
>|
>| The point is that your approach doesn't take appropriate measures
>| for keeping lower-level members out of higher-level areas. What's
>| wrong with pointing out the weakness of your approach?
I never claimed that this was a secure method. I repeat - it was an
example of a menu structure that could be used - no more, no less.
[snip 2 end]
Manu Zuzu
What did I know, the evening after posting we went to the hospital and
my first child was born. So we have been in the hospital for a week
and the week after was also very busy.
Anyway.. my apologies for not replying and not thanking you for your
answers.
I have slightly changed the plan though and this doesn't all apply
anymore so best is to open a new topic I think.