My professor is designing a website that uses bit-flag checking to allow access to certain pages. You login, validate login, and store their allowed bit flag into a session variable. Then you compare to see if they have access or not. It's fairly new to me, but it's apparently very common with linux users. Sounds interesting to me, just wondering if any one has used this, or is it a little too much for simple pages. His site however is going to be more of "software" for several users. Is it very secure and does it work well?

This post has been edited by miCRoSCoPiC^eaRthLinG: Nov 21 2005, 05:24 PM

It should be a very quick and convenient way of doing it - much simpler than referring to a database everytime to check whether you've got access or not.

The most common way of fixing access permissions is to have a bunch of fields in the database, representing each screen - you just store 'Y' or 'N' in each field to set the access permission for that screen.

Instead of that approach, one can easily store the whole information in a single or multiple byte of data, using each individual bit to represent a particular screen.

In the database approach, you'd need 8 bytes (8 characters - Y/N) to store access rights for 8 screens, whereas, in the bitflag approach, you can use just a single BYTE (remember each BYTE has 8 BITS) - to store the whole data.

Take for example a byte - consisting of these bits: 10011011 - each '0' or '1' represents whether permission is disallowed or allowed ..

You just load this information from the database ONCE when the user logs in, and store this info in a session variable.. everytime u access a page, you check against this value and see whether this dude has access or not.

But one problem with this approach - what if this user just walks off from his terminal without logging out ??? And his session hasn't expired yet ? Anybody else can come in and mess around - but so can you do it in case of the first approach.. If one forgets to log out, even God can't help (with due respects)...