I'm building a site that has one authentication system for both general users and administrative users (using CodeIgniter and Tank Auth, for anyone interested). They are differentiated based on profile credentials. (Is this a secure approach?)
My question is, when a user accesses an area they do not have the credentials to view, what PHP functionality should I use to restrict access? My thoughts are either a 'redirect' or 'exit' function. What is the most secure approach?
Use both:
header("Location: http://your_login_page");
exit();
exit() will ensure that the remainder of the script does not get processed, and header() will send the user to a useful location. ("Idle hands are the devil's workshop...")
Well, I think that Tank Auth should be handling it already, isn't it? (I never used that library, Ion Auth does it and I assumed is a must have for an Authentication system). Usually, in plain Php, you might want to do a
header("Location: your/url");
exit();
when redirecting after checking for the logged status (via $_SESSION, $_SESSION + cookies, for. ex.). Exit() prevents the script to go on in case the header might fail, thus displaying unwanted code.
Codeingiter has its built-in redirect system (check here on User Manual )the redirect() function. You can use it like:
if ($logged_in == FALSE)
{
redirect('/login/form/', 'refresh');
}
or using 'location' instead of 'refresh', witch allows you to set a header response to send to the server
// with 301 redirect
redirect('/article/13', 'location', 301);
But I believe Tank Auth has its own methods that are enough for your application, have you checked that already?
