Authentication & Authorization
Understanding the authentication and authorization system
Authentication & Authorization
User Types
- Users: Client accounts (stored in
userstable) - Staff: Admin/staff accounts (stored in
stafftable)
Authentication Flow
- User submits login credentials
- System verifies password using
password_verify() - System creates PHP session
- System stores user ID and role in session
- System updates last login timestamp
Session Management
// Check if logged in
$auth = new Auth();
if ($auth->isLoggedIn()) {
$userId = $auth->getUserId();
$user = $auth->getUser();
}
// Check user type
if ($auth->isClient()) {
// Client access
}
if ($auth->isStaff()) {
// Staff access
}
Authorization
// Require staff access
requireStaffAccess('clients');
// Check permissions
$permissionManager = new PermissionManager();
if ($permissionManager->hasAccess($staffId, 'clients', 'edit')) {
// Allow edit
}
Password Security
// Hash password
$hash = password_hash($password, PASSWORD_DEFAULT);
// Verify password
if (password_verify($password, $hash)) {
// Password correct
}
CSRF Protection
All forms should include CSRF tokens:
// Generate token
$csrfToken = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $csrfToken;
// In form
<input type="hidden" name="csrf_token" value="<?= $csrfToken ?>">
// Verify on submit
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
die('Invalid CSRF token');
}
Input Validation
// Sanitize input
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
// Escape output
echo e($userInput);