Best Practices for Non-loggable Accounts
-
19-09-2019 - |
Question
I am wondering what the best practices are for creating non-loggable accounts. On StackOverflow, there is a Community Wiki account that I'm assuming can't be logged into.
How should I go about scripting for non-loggable accounts? If there is an account that I don't want to be accessible, should I set parameters like you can't log into accounts with IDs less then 0? Or should I just manually define the IDs that cannot be logged into in the configuration ID? or is there a better way?
Solution
To me you should use a flag in the account data, in order to set or revoke the logging capability.
This capability can be enforced with a query at sql level quite easily.
A query like:
select wathever from user where loggging=1 and user="aUser" and passwd="password"
can do the trick.
Answering your comment: Maybe using a colum appears not efficent to you but you have to consider the pro:
You have the information about your users in a single layer, not scattered around beetween database, configuration files, or wathever
You can revoke or grant the logging capability to any account without having to modify configuration files
OTHER TIPS
You can set a "flag" on your user table:
loggable int(1) default 1
Then you can check on your script:
//... data retrieve login ...
if($userRow['loggable'] == 1) {
//User can login, do stuff
} else {
//Tell him that he can't login
}
Add a "loggable" field to accounts. It's scalable in case you end up having lots of non-loggable accounts.
You could make an empty password be non-loggable.
To extend Eineki's SQL:
select whatever from user where loggging=1 and user="aUser" and
passwd="password" AND passwd IS NOT NULL