[eluser]underskor[/eluser]
Hey lads,
Struggling to find a decent article on this. Wondering what you guys think.
Say you have a parent controller's constructor, which is where the authentication for the child controllers is done. Is the following (very general) process the best, most secure way? Note: I haven't delved very far into sessions so I apologize if anything is incorrect.
Code:
/*Login Page****************************************/
//Start session
session_start();
//Form is submitted, cred's matched to cred's in DB - login successful
//Regenerate session id to help protect against fixation
session_regenerate_id();
//Set auth level from DB
$_SESSION['auth_level'] = 'ADMIN';
/*Parent Controller****************************************/
//Start session
session_start();
//Check if session is set and auth level sufficient
if(isset($_SESSION['auth_level']) && $_SESSION['auth_level'] === 'ADMIN') {
//Show secure content
} else {
//Redirect to login page
}
Apologies if any of this fails to make sense. Had this New Thread page open for about 2 hours now, doing reading, trying to figure out the best way to ask what I want.
Thanks