I could use a little guidance from the list tracking a bug in my
application.
My site has a set of publicly viewable pages, and a several pages that
require additional privileges. All pages reference a subclass of auth
called "myAuth" which enables "nobody" and permits browsing of the publicly
viewable pages.
When they enter their username and password, they are posting to a secured
page called /userHome.php. /userHome.php sees the existing session and
recognizes that the user is "authenticated" as nobody, but fails the next
step of login_if($auth->auth['uid']=='nobody') which redirects them to a
login page!
The net effect is that the users thinks the first login attempted failed and
the second attempt behaves normally. Clearly, what I'm trying to accomplish
and what I've written are widely divergent!
So, what's the "proper" way to allow the users to switch between "nobody"
and a real, authenticated user?
- Should I use two subclasses of auth - one that enables nobody and another
that doesn't?
- Should I attempt to detect the logon by looking at HTTP_POST_VARS for the
username and password and then trying to $sess->delete() and $auth->unauth()
to "force" the start method to execute auth_validatelogin().
Thanks in advance for your assistance!
terry
|
