« HS-CMS documentation home

The HS-CMS Users/Login Functionality

What Developers Need To Know

Developers should:

  • Use the following code to check if a user is logged in:

    $user_is_logged_in = ($HS_current_user !== FALSE);

    If the above returns true, then you can assume $HS_current_user is a HS_User object and you can then use its methods, checking its privileges, grabbing its name or ID, etc.

  • Absolutely never check for, use, or modify $_COOKIES[HSCMS] or the HSCMS=LOGGEDIN cookie. (Its use is unsafe and incorrect. See below.)

Internal Implementation

HS-CMS absolutely requires cookies to be enabled for login capabilities.

When pages are loaded, page.php checks for the cookie name-value pair HSCMS=LOGGEDIN. If it does not exist, pages are rendered using the most lightweight, most-cached code possible. If it does exist, then the user library (core/hs_users.php) is loaded and HS-CMS verifies that the user is indeed logged in, loads their permissions, etc. THE “HSCMS=LOGGEDIN” COOKIE PAIR IS NOT AN ATTACK VECTOR OR SECURITY ISSUE. An attacker with such a cookie is not accepted as a user; s/he would still need proper login credentials. However, it would cause the inclusion of the users library and possible less caching.

Users are given roles which have specific permissions.

Users may also have their permissions limited to, or extended for, a specific “directory”.