Chapter 14. Authorization and Sessions

It’s time to add some refinement to the authentication and navigation systems you built in the last couple of chapters. You’ve created an attractive login screen as well as added authentication to let users into and out of your application. It’s time to go further: authorize.php needs to be improved. It should take in a group (or, better, a list of groups) for the user and only allow access if the user is in the permitted group, such as an administrator group.

You also have basic navigation, but again, there are some needed improvements: users in certain groups should see an option to administrate users and get a link to show_users.php (in addition to the standard link to show_user.php).

And then…there’s a problem with cookies. In Chapter 13, you learned how to go beyond basic authentication by using cookies, and that’s a good thing. But, there are some very real concerns surrounding a high-end application using cookies, and only cookies, for authentication. In this chapter, you’ll do all of the above and more.

Modeling Groups in Your Database

Before you can look up the groups to which a user belongs, you need to have some groups in your database. You need a table to store groups and some means by which you can connect a user to a group. Also, you need to be able to connect one user to multiple groups.

There are a few distinct steps here:

  1. Create a table in the database to store groups.

  2. Map a user to zero, one, or more groups.

  3. Build ...

Get PHP & MySQL: The Missing Manual, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.