question on login permission methods

[deuce868]

I have a login system that grants users permissions in a second tied table with two fields (userName and permLevel). Of course this leads to multiple records per user for each permission they have...for instance

rharding: has the following
ResearchAdmin, PsychAppReview, PsychEvalUser

Now my question is the "best practice" for managing this. I have two ways I guess. First is to create an array of permission levels the user has when they log in (stored in session var) that I then check on each page using a simple in_array() for whatever I am looking for. The second option is to only store the username in the session and on each page perform a query for the permissions level.

Now I am working in a small enough environment that performing an extra query on each page is not going to be a big deal. I am just more curious from a "best" practice perspective which method is considered the better way to handle this? Would the extra queries generated be worthwhile in any security sense?

Thanks for the input. I appreciate you all taking the time to take a look at this.

[frezno]

I don't know whether it's the best way, but I've stored it in the session variable and depending on the module where access should be permittet it is checked, whether a login is required and if so whether the permission level is high enough.

[Vadim]

I have purchased a book Kevin Y. DB Driven Website.
At the begining everything was clear,
but chapter 10 is writen too hurriedly !!!
It is no STEP-BY-STEP way :-(
Jast a litle explanation... :-(

For example when i try generateindex.php I get the message:

Warning: fopen(tempindex.html) [function.fopen]: failed to open stream: Permission denied in c:\Inetpub\wwwroot\Jokes\chapter10\TMP2t9awa88ad.php on line 48

Unable to open temporary file (tempindex.html) for writing. Static page update aborted!

I checked permission for folder chapter10 - everything is permited.

I dont know what to do :-(((

Please help me !
Thanks
-Vadim

[cranial-bore]

Well it's probably not applicable much in your situation, but if you wanted to revoke someone from having access to a particular item, and you were using sessions they would continue to have access until they left the site and their session died.

If you're getting the permission info from a query on every page (with an included file of course) they will loose access immediately.

Personally I have a script (secure.php) which I include at the top of all my relevant pages that generates all the relevant authentication info.