0

For keeping the "Administration Panel" secure to those who are logged in, for my web application, is the best practice to use an If/Else Statement?

if($_SESSION['logged_in'] == true) {
   include '../styles/templates/admincp/header.php';
   include '../styles/templates/admincp/content.php';
   include '../styles/templates/admincp/footer.php';
}
else {
   include '../styles/templates/login.php';
}

Is this how the "professionals' (such as CMS creators, etc) do this authentication style? OR is there a completely better route and method to the If/Else statement to authenticate pages for logged in users to access?

Improve this question
1
  • why can't use isset($_SESSION['logged_in']) ?? Commented Mar 29, 2014 at 13:42

2 Answers 2

Reset to default
2

At some point, all authentication comes down to an if statement.

  • If this user is logged in...
  • If this user has manager privileges...
  • If this user has admin privileges...
  • If this user has connected from an OAuth provider...

There are many methods for including (or excluding) the privileged features:

  • Hide the things the user isn't allowed to see
  • Don't include a module or control
  • Redirect the user to a page that they do have access to

The example code you have posted will work just fine.

Improve this answer
1

It comes down to an if statement finally somewhere in your code. Personally I've something more similar to this:

if ( true === (bool) $_SESSION['user']['login'] && 
     0 < (int) $_SESSION['user']['id'] && 
     time() <= ((int) $_SESSION['user']['last-activity'] + 20 * 60) &&
     $_SERVER['REMOTE_ADDR'] === (string) $_SESSION['user']['ip']
     ) {

    /* Update the last user activity time */
    $_SESSION['user']['last-activity'] = time();

    /* Check the permissions, etc. */

    /* Render dashboard */

} else {

    /* Redirect to Login */
    header( 'Location: ' + $cfg->url + '/login/' );
}
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.