Using CMSBuilding Login

25 posts by 9 authors in: Forums > CMS Builder
Last Post: October 8, 2009   (RSS)

By andycal - August 20, 2009

Anyone know what session variables should I be checking for if I want to protect other pages of my site? Or maybe I should be including a file and using a function?

Any help appreciated!

Re: [andycal] Using CMSBuilding Login

By gkornbluth - August 20, 2009 - edited: August 20, 2009

If you mean allowing certain CMSB users to edit only certain pages and not others, you can restrict access down to the author of a page in specific sections when you set up their user account.

In the section access pulldown menu you can specify specific sections and restrict access that way.

If that's not what you're asking, let us know,

Best,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [andycal] Using CMSBuilding Login

There are 2 approaches that come to mind.

1) Don't provide any public links to the versions of those pages with the private data.

2) Password protect the folder with those pages if you need the added security.

You can use a free password management program like Account Manager Lite by Site Interactive or just use .htaccess files.

Does that help at all?

Best,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Using CMSBuilding Login

By InHouse - August 20, 2009

In the past I've set session vars once a registered user has logged into a site. Then on each page I sniff for those vars and if that user has values in their account info (CMSB Table) that matches the permitted users for that page, then they can go on and read the page. Otherwise, they are bounced, or some content is displayed conditionally.

Basically this is the same method that Dreamweaver users by default in these cases.
J.

Re: [InHouse] Using CMSBuilding Login

sounds like an interesting approach, could you expand a bit on the process and code?

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Using CMSBuilding Login

By InHouse - August 20, 2009

I can do so in brief from memory. Details can be provided later if needed:

1 - Created a mulit-record table in CMSB called 'Subscribers'. Contains user info, password, contacts, and permission data. In my case the latter was a drop-down menu containing user level types. My client wanted to have viewers only see certain data so this table also had extra permission fields. i.e.: red stuff, blue stuff, green stuff.

2 - The client was signing up users manually, but you could have a sign-up form which populates that table. Moderator oversight may be required.

3 - On the login page. The user would enter their username and password. These are checked against the user table. If their account is in good standing, create session vars based on some kind of temp hash of their username and/or system time (or similar).

4 - On each subsequent page, at load, check the session vars and see if their reversed-hash info matches the valid account info from the CMSB table. If not, bounce the user back to page 1. If valid, read their data viewing permissions and display the content accordingly (i.e.: red stuff, blue stuff, green stuff,etc.). Users with certain levels of permission such as Admins or Mods might see multiple sets of data.

5 - For some critical bits of content, or with certain user actions, we send emails or append to a flat file log of what user took a given action. That way we know if they downloaded a given file or went to a particular page.

It must be noted that this site was just intended for non-commercial actions as this method is far from foolproof. But it does allow one to know which of your users came to your site, what pages they viewed, and permit you to show the right data to the right groups of users provided that none of them know enough about how to spoof the session vars or some of the page headers. Security is relative.

This site was originally built on CMSB 1.20 and I'm sure we might approach some things a little differently now.

Hope this helps!

J.

Re: [InHouse] Using CMSBuilding Login

By andycal - August 20, 2009

Hang on guys, before we get carried away, I'm sure there's an easier way. When I log in to the CMS admin, a session variable is surely set. If I know what this is, I can protect other pages. Or does it use some other method to know who's logged in?

Re: [andycal] Using CMSBuilding Login

By InHouse - August 20, 2009

No idea andycal, but that's a great question.

Back when I did this, and perhaps even now, I wasn't able to add extra fields to the user table on CMSB. Neccessity begat invention.

J.

Re: [andycal] Using CMSBuilding Login

By Dave - August 20, 2009

Hi andycal,

This isn't something that's supported by the software, but I'll try and point you in the right direction. We switched from cookies to sessions in a recent version, so upgrade if you haven't already.

Next, add this line in red before you load the viewer functions:

if (!defined('START_SESSION')) { define('START_SESSION', true); }
require_once "../lib/viewer_functions.php";


That tells it to start a session. Next, you can display an error message for users who are not logged in like this:

<?php if (!@$_SESSION['username']) { die("You must login first!"); } ?>

And you can see all the session variables available like this:

<xmp><?php print_r( $_SESSION ) ?></xmp>

Note that the program internals might change over time. Probably not for a long while, but be sure to test your custom code after future upgrades.

Hope that helps!
Dave Edis - Senior Developer
interactivetools.com