All geek questions in one place

How does website access control work?

I'm just starting to learn about web development, and something annoys me a bit how the website controls what you can access and cannot access.

For example, a site like Facebook. When I first go to the site, it presents a login form, after I am registered on the same page that I tried to access, it still shows information related to me that I can only access after logging in system, I can go to another site and then go back to google, and it still allows me to use if you don’t log in again.

How exactly does a site block someone trying to access a specific page when they are not logged in, say, the viewProfile.php page. How does a website know who to allow access to this page?

I understand that this question may seem confusing and elementary, but it's just what came to me when browsing facebook.

Thanks.

+4
source share
5 answers

This is a very simple concept called sessions.

When you visit facebook, he reads unique information sent to him through the connection, such as IP address, browser and some other secondary information, when this information is combined, a unique identifier is created.

this unique identifier is then stored in a file as follows:

  d131dd02c5e6eec4693d9a0698aff95c.session

Therefore, when you log in with your credentials, the application adds information to this file, such as the last activity, etc.

When you leave and return, facebook will then read the information sent with each request, then add everything together and create a unique hash, if this hash exists in its storage system, it will open it and read the contents and know exactly who you are.

all this is combined with cookies, a unique hash is sent back to the browser and stored in the cookie folder, this cookie is sent back to facebook with each request.

PHP handles this internally for you, so just start it and run it: http://php.net/manual/en/features.sessions.php

Here is an example that can help you understand the concept a little more.

 <?php /* * The session_start generates that hash and send a cookie to the browser * This has to be first as you can only send cookie information before any content */ session_start(); /* * Anything storeg within $_SESSION is what been read from the session file and * We check to see if the information has already been set on the first time the user * visited the site */ if(!isset($_SESSION['hits'])) { $_SESSION['hits'] = 0; } /* * Now we increment the value every time the page is laoded */ $_SESSION['hits']++; /* * now we display the amount of hits the user has loaded the page. */ echo 'You have vistited this site <strong>' . $_SESSION['hits'] . '</strong> times.'; ?>

if you load this page and then press F5, the session value will increase by each request so you see something like:

  • You updated this site 1 time.
  • You have updated this site 2 times.
  • You have updated this site 3 times.
  • You have verified this site 4 times.
  • ...

The session file is unique for each person who visits, which means that when using the session variable in PHP it will be only for this user, so everyone gets their own session.

as you research its StackOverflow search products for specific tags such as PHP and sessions.

https://stackoverflow.com/questions/tagged/php+session

Here is a good question regarding the benefits of cookies and sessions, etc.

Assigning PHP Sessions and Cookies and Their Differences

+6
source

A website uses something called a cookie to store information on your computer.

This information can contain any text string, but in this case it is probably a unique identifier that Facebook knows (possibly somewhere in the database) is associated with a specific user. Cookies can only be read on the website that sent them by the browser itself.

The login page sends a POST / GET request to the script, which usually checks if the username and password match the data in the database. If the data is considered valid, the user is granted access to the landing page of websites (the page after logging in) and a cookie is saved. If this is not the case, they are sent with an error message.

Cookies can also have a "lifespan". This life span can be any: for a certain number of seconds; until you leave the site; until you close your browser; or forever (maybe more.)

The website that sent the cookie may also delete the cookie before it expires. This is how the exit buttons work.

+1
source

  • To allow only registered users to view content, you can first check for the sign in which they are logged in, for example, find an active session and indicate a flag that tells you that they are logged in (which you control). In PHP, at the top of the page, you can simply:

     <?php session_start(); if(!isset($_SESSION['loggedin'])){ header('Location: http://example.com/login.php'); } ?>

    which will redirect unregistered users to the login page. Upon successful login, you must set the $ _SESSION ['loggedin'] value.

  • To check whether a registered user is allowed to view a specific profile, you can see where the page is limited only to friends, and if so, check that the loggedin user ID belongs to the profile owner of a friend in the database.

+1
source

Do a Google search for "Session Management."

Summary

when you visit the site, you get a unique identifier. This identifier retrieves your data from the database, and then populates your data with a dynamic page, such as viewProfile.php. Therefore, each user pulls out the same viewProfile.php file, but gets different results based on their unique identifier.

0
source

This is done using cookies. When you log in, the site places a cookie in your browser for a certain amount of time (usually a very long time, so you can stay logged in). When you re-access the site, your browser sends the cookie back to the site (and the site sets a new cookie). In any browser, you can find the list of cookies somewhere in the settings.

If you want to know more about cookies, you can read wikipedia: http://en.wikipedia.org/wiki/HTTP_cookie

0
source

Source: https://habr.com/ru/post/1347404/

More articles:


All Articles