ZeptoBlog - My tech playground » 2007

January 2007
S	M	T	W	T	F	S
« Dec		Dec »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Writing a PHP Framework (Authentication and Authorization)

By Russ J

In my previous post about writing a PHP Framework I mentioned a script called Tower.php. By using Tower as the single point of entry I can handle authentication and authorization all in one place for any page rendered.

Authentication is deciding whether a user has access to the system. This is most often accomplished by requiring the user to enter a username and password. Tower.php checks the users credentials and sends them to the login page if they are not authenticated. This works whether the user is trying to go to a bookmarked page or if their session has timed out but they still have the application up in their browser.

Authorization, on the other hand, determines what parts of the system the user has access to – whether they have been authenticated or not. In my framework, I have chosen to implement authorization by require each page to defined the permission required to render the page. I then group the permissions into roles and assign a role to each user. If the page doesn’t require any permissions, then it is a public page and anyone can view it. This is, of course, the case with the login page.