How Does Website Access Control Actually Work?

Question

I am just starting to learn about web development and something has been niggling me for a while now, How a website controls what you can access and cannot access.

For example, a website like Facebook. When i first go to the site, it presents a login form, once i am logged the same page that i tried to access before now shows information relevant to me that i could only access once logged in, i can navigate to a different site and then comeback to google and it still allows me to use if without logging on again.

How exactly would a site block someone trying to access a particular page when they are not logged in, lets say the page viewProfile.php. How does the website know who to allow access to this page?

I realise this question may seem confusing and elementary but its just a something that came to me whilst viewing facebook.

Thanks.

Answer 1

This is a very simple concept called sessions.

When you visit facebook, it reads unique information sent to it via the connection such as IP address, browser, and some other minor information, when this information is combined it creates a unique identifier.

this unique identifier is then stored in a file like so:

 d131dd02c5e6eec4693d9a0698aff95c.session

So when you login with your credentials there application add's information into this file such as last activity etc.

When you go away and come back, facebook will then read the information that's sent with every requests, it then add's it all together and creates a unique hash, if this hash exists within it's storage system it will open it up and read the contents, and know exactly who you are.

all this is combined with cookies, the unique hash is sent back to the browser and stored in your cookies folder, this cookie file is sent back to facebook with every request.

PHP Handles this for you internally so it's pretty basic to get it up and running: http://php.net/manual/en/features.sessions.php

Here's an example that may help you understand the concept a little more.

<?php
/*
    * The session_start generates that hash and send a cookie to the browser
    * This has to be first as you can only send cookie information before any content
*/
session_start();

/*
    * Anything storeg within $_SESSION is what's been read from the session file and
    * We check to see if the information has already been set on the first time the user
    * visited the site
*/
if(!isset($_SESSION['hits']))
{
    $_SESSION['hits'] = 0;
}

/*
    * Now we increment the value every time the page is laoded
*/
$_SESSION['hits']++;

/*
    * now we display the amount's of hits the user has loaded the page.
*/

echo 'You have vistited this site <strong>' . $_SESSION['hits'] . '</strong> times.';

?>

if you load this page and then hit F5, the session value get's incremented every request so you should see something like:

• You have vistited this site 1 times.
• You have vistited this site 2 times.
• You have vistited this site 3 times.
• You have vistited this site 4 times.
• ...

The session file is unique to each person visiting, thus meaning that when using the session variable in PHP it would be to that user only, so everyone get's there own individual session.

as your researching it's goods to search StackOverflow for certain tags, such as PHP and sessions.

https://stackoverflow.com/questions/tagged/php+session

Here's a good question in regards to cookies and sessions advantages etc.

Purpose Of PHP Sessions and Cookies and Their Differences

Answer 2

A website uses something called a "cookie" to store information on your computer.

This information can hold any text string, but in this case it is probably a unique ID that Facebook knows (probably stored in a database somewhere) is tied to a certain user. Cookies can only be read by the website that sent them and by the browser itself.

The login page sends a POST/GET request to a script that generally checks the username/password combo against data in a database a database. If the data is found to be valid, then the user is granted access to the websites landing page (the page after login) and a cookie is stored. If it is not, they are sent back with a error message.

Cookies can also have a "lifespan". This lifespan can be anything: for a certain amount of seconds; until you leave the site; until you close your browser; or forever (there are probably more.)

The website that sent a cookie can also delete a cookie before it expires. This is how most "logout" buttons work.