Access Control for Web Applications
Authentication systems aren't the only methods at your disposal for ensuring use by legitimate users—you can also use access control systems specifically for web applications. Yes, you learned in Chapter 4 that you could use system-level access controls, but for many reasons these aren't feasible in a web application:
- It is impractical to use file ownership and permissions to control access to files and scripts that must all be readable by the webserver user
- An online application should never be allowed to create (or even expose the existence of) system-level user accounts. Besides making it difficult to scale an application across multiple servers, each additional system account is a potential agent ...