Common Page Code

There is some code that needs to be in each of the secured web pages. I have made it as copy and paste friendly as possible since I know if it requires modification on each page I'm likely to forget to edit the code on at least one of them. The header should look like this:



To start with I make sure every page has a META tag that identifies the content as charset=utf-8 for support of other languages.

To make the code generic I leverage PHP to pull the site directory out of the SystemComponent class. Also the script name is parsed out of the $_SERVER PHP_SELF super global variable. The server name is retrieved from $_SERVER SERVER_NAME and the whole works is used to build a complete URL to the currently executing script. This URL permits the frameset to be loaded properly, breaking out of any other frameset that may contain it, and yet keeping the current page as the one loaded into the Main frame of the frameset. If you are not logged in, or you don't have sessionStorage support in your browser, you will be redirected to the login.php page.

Next right at the start of the page body we have script that detects if the page was accessed with the correct POST variables. There is no point trying to submit the authentication credentials to the Authenticate class if they don't exist.



The script attempts to recover if the page was suffering because of a user hitting refresh or reload on the frameset or because of accessing the page outside of the frameset via a bookmark for example. It detects if the password still exists in the hidden frame (only likely if the sessionStorage object exists) and then resubmits the page with the proper authentication credentials. A delay is required to ensure the code in the hidden frame has had time to pull the password back out of sessionStorage.

The exit; PHP command at the end of this PHP code prevents PHP from loading the rest of the page until the issue of the missing POST variables are corrected.

Once the POST variables exist the next step is to authenticate.



Here you can see that since the UserName is returned on success I could also easily restrict page access based on UserName. In this case I simply display the UserName of the authenticated user. An authentication failure redirects the browser to the login.php and once again exits to prevent PHP from even creating the rest of the page.

Up until this point in the page no displayable content has been sent other than after successful login. This is important since PHP will not like to adjust the header (redirecting to login.php) after content has been displayed.

An authorization module would be placed along with or just after the authentication module in the page access processing. This class would take the authenticated UserName as well as the access level of the page and lookup the user to see if they had the access level required. This step could be as simple or complex as required providing simple admin, editor, or user access level restrictions for example or the module could be extended to support groups, groups of groups, inheritance etc..