Access Control for Web Applications

Authentication systems aren't the only methods at your disposal for ensuring use by legitimate users—you can also use access control systems specifically for web applications. Yes, you learned in Chapter 4 that you could use system-level access controls, but for many reasons these aren't feasible in a web application:

  1. It is impractical to use file ownership and permissions to control access to files and scripts that must all be readable by the webserver user nobody.
  2. An online application should never be allowed to create (or even expose the existence of) system-level user accounts. Besides making it difficult to scale an application across multiple servers, each additional system account is a potential agent ...

Get Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.