On the CMSs such as XOOPs and what not, the membership area is protected in different Groups. Does anyone know the method that is used to protect those areas. I don't believe that it is HTACCESS, because HTACCESS is only used with a folder. Do you establish a embedded php page or an HTML page, use includes and protect it with php code? Also, what is the normal mode that you tell how many members are on line. Is this through the Authentication Code? Or through the MySQL access?

Use your database to track and store info (phpsessionId for isntance to track members).

I use permisions for my members.

A super user has permissions of 500 while a normal user has permissions of 100.

If a folder is allowed for anyone then check the user permisiosn and see if they are >= 100
If iuts a super user folder then permisions must = 500 or throw an access error.

htaccess could do it but you would need to let many many people know the htpassword to access that folder which undoubtably would get exploited.

You could tag your users upon login or even on every page hit (and untag them again after a set period of inactivity).

This way you get to see whose active and whose not. Ive never been one for letting people know who and how many people are on so I have never realy made any efforts to collect and store such info. Though if I was to do it I would probably go for the idea above.

Ibbo

Thankyou very much for that answer. Here is the problem I am running into with HTACESS or the folder protection of your sessions idea with my application. Maybe you have a solution. I have a database with my content in it. Some of the content is protected ie) surfers do not get all of the fields, just part of the fields. I want to set up a Query that allows the Members to get all fields, leaving the surfers with unsecured fields. To my knowledge, there is no way that the db information can be shared by files inside a folder and files outside of the folder because of the path requirements. When you talk about permissions, you are not talking about folder permissions, right? ie) rw-r-r-rw or 777 I believe with php you can create a piece of code that protects a single file? Is this true?

Well for the member VS surfer access.

Your member must be logged on for this to work.

SO
if ($_SESSION['member']){
// we have a logged on users.
$sql = select * from whatever";
} else{
$sql = "select field1, field2, etc from whatever";
}

That will sort out who gets what content. (providing on a login you assign you user details to the session.

When I talk of permisions I am talkinga bout DB related permisions. Not DB access permision.

I.E

create table user (
id in not null auto incremant,
name varchar(50),
email varchar(50),
password varchar(32),
privs int,
primary_key(id)
);

The privs field here is what I am refering to. Once your member logs in you pass your result into the session.

SO

$row = mysql_fetch_row($result);
$_SESSION['member'] = $row;

Now they are in the session and you can access privs anywhere.

SO

if ($_SESSION['member']['privs'] >= 100) will return true for logged in members and you can then dish out member content.

Dont ever set any file permissions to 777 or you will find yourself exploited and will have to spend a day or so sorting out all the extra content on your website.

Ibbo