To handle authentication and authorization in PHP, use sessions for tracking users, hash passwords securely, implement role-based access control, and maintain up-to-date security practices. 1. Use PHP sessions to store user identification after login and verify login status across pages. 2. Hash passwords with password_hash() during registration and verify with password_verify() during login. 3. Implement RBAC by storing user roles in the session and checking permissions before granting access. 4. Keep sessions secure by regenerating IDs, setting secure cookie parameters, using HTTPS, and avoiding sensitive data storage. 5. Protect against attacks by sanitizing input, logging failed attempts, rate-limiting, and considering established frameworks for built-in security features.

Handling authentication and authorization in PHP doesn’t have to be complicated, but it does require a solid understanding of how users are verified and what they’re allowed to do. At its core, you're trying to answer two questions:

• Who is this user? (Authentication)
• What can this user do? (Authorization)

Let’s break it down into practical steps.

Use Sessions for User Authentication

Once a user logs in, PHP sessions are the standard way to keep them logged in across multiple pages. When someone submits their username and password, you check those against your database. If they match, you start a session and store some identifying info—like user ID or username.

session_start();
$_SESSION['user_id'] = $user['id'];

This lets you check on other pages whether someone is logged in:

if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

Some key points:

• Always call session_start() at the beginning of every script that uses sessions.
• Don’t store sensitive data like passwords in session variables.
• Use secure session settings—like regenerating the session ID after login with session_regenerate_id(true) to help prevent session fixation attacks.

Hash Passwords Properly

One of the biggest mistakes in authentication is storing passwords insecurely. Never store plain text passwords. Instead, use PHP's built-in functions like password_hash() and password_verify().

When registering a user:

$hashed_password = password_hash($plain_text_password, PASSWORD_DEFAULT);
// Save $hashed_password to the database

And when logging in:

if (password_verify($input_password, $stored_hash)) {
    // Password matches
} else {
    // Invalid credentials
}

Why this matters:

• password_hash() automatically handles salting and uses strong algorithms.
• You don’t need to manage salts or encryption keys yourself.
• As PHP improves hashing methods, PASSWORD_DEFAULT will stay up to date.

Implement Role-Based Access Control (RBAC)

Once a user is authenticated, you need to decide what they can access. A common approach is role-based access control—assigning roles like “admin”, “editor”, or “subscriber”.

For example, after logging in, you might retrieve the user’s role from the database and store it in the session:

$_SESSION['role'] = $user['role'];

Then, on admin-only pages:

if ($_SESSION['role'] !== 'admin') {
    header('Location: index.php');
    exit;
}

Tips for managing roles:

• Store roles in the database as part of the user table or a separate roles table.
• Avoid hardcoding permissions; make them configurable if possible.
• For more complex systems, consider using a permissions table that maps roles to specific actions.

Keep Security Practices Up to Date

Even if your code works, security threats evolve. Here are a few things to watch out for:

• Use HTTPS so session cookies aren’t sent over plain text.
• Set secure session cookie parameters via session_set_cookie_params():

  session_set_cookie_params([
      'lifetime' => 86400,
      'path' => '/',
      'domain' => '',
      'secure' => true,
      'httponly' => true,
      'samesite' => 'Strict'
  ]);

• Log failed login attempts and consider rate-limiting.
• Always sanitize and validate user input to avoid SQL injection or XSS vulnerabilities.

You don't need to reinvent the wheel. Consider using frameworks like Laravel or Symfony, which include robust auth systems out of the box.

---

Basically, handling authentication and authorization in PHP comes down to verifying who users are, keeping track of them securely, and controlling what they can access based on their role—all while staying mindful of evolving security standards.

The above is the detailed content of How Do You Handle Authentication and Authorization in PHP?. For more information, please follow other related articles on the PHP Chinese website!