Simple PHP access control
Access control can be a complicated process. Taking a “simple, but not simpler” approach allows extensibility in this basic task of web application development.
This approach for controlling access to a web application is a simple two-part loop:
- user not logged in: display login form
- user is logged in: display application
There’s nothing new here; I’m simply documenting an approach I have found easy to implement. In it, the user loads the application’s index. The index’s code asks, “Is the user logged in?” If the answer is “yes” the application’s main function is called. If “no” the function to display the login form is called. Using this method, the user never gains access to any of the application’s functionality until they pass the login test. Security is built into the method by design.
For the purposed of the demonstration, we will use three (3) files:
- index.php
- login.php
- functions.php
The “functions.php” file is where the functions for displaying the login form and for starting the application are located. The “login.php” is used to grant access to the application or to log out a user. It’s a separate file and, again, security is built into the method.
Here’s a diagram which shows the path the user takes through the method:
Now, let’s look at the code involved:
File: index.php
<?php
session_start(); // if necessary
include_once "functions.php";
if (user_is_loggedin()) {
do_application(); // app's main function
}else {
display_login_form();
}
?>
Here, we simply check the value returned from the user_is_loggedin() function to determine what to do.
File: login.php
<?php
include_once "functions.php";
if (isset($_POST['username'])) {
setcookie("username", $_POST['username']);
}else{
setcookie("username", "");
}
header("Location: index.php");
?>
The “login.php” file is called from the “display_login_form()” function in the “functions.php” file (code below). The code here either creates or destroys a cookie. The cookie is used in the “user_is_loggedin()” function, also below.
File: functions.php
<?php
function user_is_loggedin() {
if (isset($_COOKIE['username'])){
return true;
}else{
return false;
}
} // end user_is_loggedin()
/* Displays login form
* *******************
*/
function display_login_form() {
$html_str = "<div id=\"login_form\">"
. "<h2>Login to Application</h2>";
. "<form action=\"login.php\" method=\"post\">\n";
. "<p>Username: <input type=\"text\"
name=\"username\" value=\"\" /></p>\n";
. "<p>Password: <input type=\"password\"
name=\"password\" /></p>\n";
. "<p><input type=\"submit\" value=\"Login\" /></p>\n";
. "</form>\n";
. "</div>\n";
echo $html_str;
} // end display_login_form()
/* Main function
* *************
*/
function do_application() {
/*
* Functionality of application
*/
// Logout button
$html_str .= "<form id=\"logout\" action=\"login.php\">\n"
. "<p><input type=\"submit\" value=\"Quit\" /></p>\n"
. "</form>\n";
echo $html_str;
} // end do_application()
?>
In “user_is_loggedin()”, we check to see if a cookie has been created for the user, meaning the user has logged in. You’ll notice also the “logout button” code in the main application function. As is does not contain a form field named “username,” the code in “login.php” evaluates to false. This calls code to destroy the cookie created during the login process.
To sum things up:
- We check to see whether a user is logged in. If “yes”, we start the application. If “no” we ask them to log in.
- If user is logged in and wants to log out, we destroy the user cookie, forcing the display of the login form again.
This access control method is simple and can be easily expanded to provide storage of user settings in database and the creation/management of user groups. It is based upon the question, “Is the user logged in?” and the use of a client-side cookie.
Comments
No one's commented yet. Add yours!
Add Comment