views:

2579

answers:

7

I have been using PHP and Javascript for building my dads website. He wants to incorporate a login system into his website. I have the design for the login system using PHP, my problem is how do I show buttons if the person is logged in.

For Example - You have Home, Products, About Us, and Contact. Well I want to have buttons for Dealer, Distributor, and maybe other information if the user is logged in. So I will have Home, Products, About Us, Contacts, Dealer (if dealer login), Distributor (if distributor login), and so forth.

Would Javascript be a good way to do this or would php, maybe even both. Using Javascript to show and hide buttons, and php to check to see which buttons to show.

+1  A: 

If you use javascript to hide the buttons, you open a security hole in the application. A malicious user could either disable javascript or apply some of their own to get around your security.

I suggest using PHP to chose to either render the buttons or not. I do this in .NET quite often.

You should be able to check the user's access on the server-side whenever they try to use a restricted button as well.

EndangeredMassa
+9  A: 

Regarding security, you cannot trust what comes from the client:

  • The visitor can see all your code (HTML and Javascript, not PHP) and try stuff
  • The visitor may not even use a browser; it's trivially easy to send a request with a script

This means hiding the buttons is good User Interface design (because you can't use them if you are not logged in). But it's not a security feature. The security feature is checking, on the server, that the visitor is logged in before each action that requires it.

If you don't intend to show the buttons, it's not useful to send the HTML and images to the browser and then hide them with Javascript. I would check with PHP.

Christian Lescuyer
A: 

What we have done at my work is have a library the provides functions such as checking if the user is logged in. For example:

<?php
require_once 'Auth.php';
// output some html
if (isLoggedIn()) {
    echo 'html for logged in user';
}
// rest of html

For pages that only authenicated users should see, the controller checks if they are logged in and if not it redirects them to the login page.

<?php
public function viewCustomer($customerId) {
    if (!isLoggedIn())
        redirectToLoginPage();
}
grom
+4  A: 

In your menu file or w/e you put:

<? require 'auth.php' ?>
<ul>
    <li><a href="">Home</a></li>
    <li><a href="">Products</a></li>
    <? if( loggedin() ): ?><li><a href="">Secret area</a></li><? endif; ?>
</ul>

Then in pages that require auth just do this:

<?php 
    require 'auth.php';
    require_login();
?>

Where auth.php may contain:

<?php

    function loggedin(){
     return isset( $_SESSION['loggedin'] );
    }

    function require_login(){
     if( !loggedin() ){
      header( 'Location: /login.php?referrer='.$_SERVER['REQUEST_URI'] );
      exit;
     }
    }

?>
Akira
To sum up what was shown above: you will check to see if they are logged in, if they are, you will display the buttons/links that you only want logged in members to see.
Brad
A: 

Everything that Christian Lescuyer wrote is correct. Notice, however, that he said "I would" and not "you should". The choice is not that easy.

First of all, security is not an issue in the choice. You should have security check on server when you execute an action. Which code decides to show/hide the button that leads to the action is irrelevant.

That leaves us with only one drawback of doing show/hide logic in Javascript - the HTML sent to user is bigger than necessary. This may not be a big deal.

Having show/hide logic in PHP does have a minus, though. The PHP code required is usually a tag soup. Akira's code provides a good example of how it is usually done.

Corresponding Javascript code would probably look something like this:

if (logged())
    {
    elementSecretArea.style.display = "list-item";
    }

(assuming that elements that could be hidden have display:none by default).

This style also allows nice "Ajax" scenario: user sees a page w/o secret area, inputs password, sees the secret area all without refreshing the page.

So, if you already have a script that runs when your document load for other reasons, I would seriously consider having show/hide logic there.

buti-oxa
A: 

Basically where you have your menu in html, say as a list <ul> <li>Home</li> </ul> you add php after </li> of the last item:

<?php
  if($session-logged_in) {    
?>

<li>My Account</li>

<?php  
  }
?>
A: 

I am in very trouble, because i don't know about php and php database. I am operating http://www.moneyinhands.com but i want user can Register and Login into my website with php and his database. I am very interested to know about php and his database, if you are good in php and his database please suggest and help me to i build better website for my users in India. If you want to charge any amount i will pay you just give me idea and support to i build website with Login Systems in PHP. I am waiting for you Reply...

sanjay