Specifications

ManualsBrandsMaxxus ManualsExercise BikePRO SPK-23

331

332

333

334

335

336

337

338

339

340

Protecting Multiple Pages

Making a script like this protect more than one page is a little harder. Because HTTP is state-

less, there is no automatic link or association between subsequent requests from the same per-

son. This makes it harder to have data, such as authentication information that a user has

entered, carry across from page to page.

The easiest way to protect multiple pages is to use the access control mechanisms provided by

your Web server. We will look at these shortly.

To create this functionality ourselves, we could include parts of the script shown in Listing

14.1 in every page that we want to protect. Using

auto_prepend_file and auto_append_file,

we can automatically prepend and append the code required to every file in particular directo-

ries. The use of these directives was discussed in Chapter 5, “Reusing Code and Writing

Functions.”

If we use this approach, what happens when our visitors go to multiple pages within our site?

It would not be acceptable to require them to re-enter their names and passwords for every

page they want to view.

We could append the details they entered to every hyperlink on the page. As users might have

spaces, or other characters that are not allowed in URLs, we should use the function

urlencode() to safely encode these characters.

There would still be a few problems with this approach though. Because the data would be

included in Web pages sent to the user, and the URLs they visit, the protected pages they visit

will be visible to anybody who uses the same computer and steps back through cached pages

or looks at the browser’s history list. Because we are sending the password back and forth to

the browser with every page requested or delivered, this sensitive information is being trans-

mitted more often than necessary.

There are two good ways to tackle these problems: HTTP basic authentication and sessions.

Basic authentication overcomes the caching problem, but the browser still sends the password

to the browser with every request. Session control overcomes both of these problems. We will

look at HTTP basic authentication now, and examine session control in Chapter 20, “Using

Session Control in PHP,” and in more detail in Chapter 24, “Building User Authentication and

Personalization.”

Basic Authentication

Fortunately, authenticating users is a common task, so there are authentication facilities built in

to HTTP. Scripts or Web servers can request authentication from a Web browser. The Web

E-commerce and Security

ART III

312

18 7842 CH14 3/6/01 3:35 PM Page 312