Use security roles to provide varying levels of access to your web application.
Not all users who approach a system have the same rights within that system. For example, some users can add and remove users, some can post, some can only read messages, and some can do a combination of all of these.
A proper role-based system not only restricts access to parts of the system, but also reduces the complexity of pages for users with restricted rights. The user should not be able to see links that she cannot use, and she should have links to the tasks appropriate for her. This hack demonstrates a fairly straightforward role-based security system.
Figure 6-18 shows the page flow among the different pages in the hack. The user starts on the index.php page, which has the login. That page submits to the login.php page, which checks the login information. If the login credentials are accepted, the user is logged in and is forwarded on to the welcome.php page. If the login credentials aren't accepted, the user is sent back to the index.php page. From the welcome.php page, the user can do one of two things. She can log out by clicking a link to the logout.php page, which dumps her session and sends her back to index.php, or she can try to go to the manage.php page directly; that page checks her credentials and sends her back to the welcome.php page if she doesn't have proper credentials.
Figure 6-18. The page flow in this hack
The welcome.php page also checks to see ...