PHP: Centralized Page Session Authenticator

Question

I am currently wondering how a centralized page authenticator could be achieved. Can anyone suggest a neat algorithm for me? What I intend to achieve is to make my backend administrator pages session protected without writing a piece of session checking code to each of my pages that I want protected. I currently do something like this:

login page -> if right credentials : set session -> if view protected page without session : reject else : permit

Any best practices (or a better method) on/than this?

Answer 1

I would not so much want to suggest an algorithm, but a library/framework instead.

If your application has a single entry point, that is the place to call your session management library/framework. For example with the Zend Framework you can initiate your session in the bootstrap. The only thing left is to authenticate a session in the login controller.

Answer 2

If you're architecting a PHP app that has multiple entry points you will go crazy trying to copy and paste all this code. Look into using a real MVC framework.

I use Zend_Controller to route my pageviews in situations like this.

Once you architect your app in that way, it becomes simple to add some code to the predispatch() method of your restricted controllers to do authentication and redirect to a login page if it is not found or is invalid.