Skip to main content

Overview

The Seguridad system uses a role-based authentication mechanism that controls access to different modules and functionalities based on user permissions. All authentication is handled through PHP sessions and PostgreSQL database validation.

Login Process

Login Form

Users access the system through the main login page (index.php) which presents a simple authentication form:
1

Enter Credentials

Users must provide their username (usuario) and password (password) in the login form.
2

Form Validation

Client-side JavaScript validation ensures both fields are not empty before submission.
function valida(F) {
  if(vacio(F.usuario.value) == false || vacio(F.password.value) == false) {
    alert("Todos los campos son obligatorios")
    return false;
  }
  return true;
}
3

Database Authentication

The system validates credentials against the usuario table in PostgreSQL:
SELECT usd, pwd, permisos 
FROM usuario 
WHERE usd = '$user1' AND pwd = '$pass1'
4

Role-Based Routing

Upon successful authentication, users are redirected to their designated module based on their permission level (see User Roles).
The current authentication implementation stores passwords in plain text and uses direct SQL string concatenation. This presents security vulnerabilities that should be addressed in production environments.

Session Management

Session Initialization

When a user successfully logs in, the system creates several session variables: 
$_SESSION["ultimoAcceso"] = date("Y-n-j H:i:s"); // Last access timestamp
$_SESSION["autentificado"] = "SI";               // Authentication flag
$_SESSION["_usr"] = $row[0];                      // Username
$_SESSION["_pass"] = $row[1];                     // Password
$_SESSION["_categoria"] = $row[2];                // Permission category

Session Validation

The miconexion.php file is included in protected pages to validate user sessions: 
if (!isset($_SESSION["_usr"])) {
  echo "Tu no estas autentificado - RESTRICCION TOTAL -, ingresa <a href='index.php'>aquí</a>"; 
  exit(); 
}

Session Timeout

The system tracks the last access time but the automatic timeout mechanism is currently commented out in the source code. The original implementation checked for 10-minute inactivity periods: 
// Commented timeout logic
// if($tiempo_transcurrido >= 600) { // 10 minutes
//   session_destroy();
//   header("Location: inactivo.php");
// }
Session timeout is currently disabled. Users remain authenticated until they manually log out or the session expires due to server configuration.

Password Security

Current Implementation

The system implements basic password handling:

Password Storage

Passwords are stored in the pwd field of the usuario table

Password Length

Maximum length: 16 characters

Password Input

Password fields use HTML type="password" for masked input

Password Confirmation

User creation/modification requires password confirmation

Password Validation

When creating or modifying users, the system validates that passwords match: 
if ($clave != $confirma) {
  echo "<script language='javascript'>alert('No coincide el campo Clave con el campo Confirma')</script>";
}
Security Recommendations:
  • Implement password hashing (bcrypt, Argon2)
  • Add password complexity requirements
  • Prevent SQL injection with prepared statements
  • Implement rate limiting for login attempts
  • Add HTTPS/SSL encryption for data transmission

Role-Based Access Control

Permission System

Access control is managed through the permisos field in the usuario table. Each permission code determines:
  1. Module Access - Which functional areas the user can access
  2. Landing Page - Where users are redirected after login
  3. Data Scope - What regional or departmental data they can view/modify

Permission Categories

The system uses numeric and text-based permission codes:
  • 0 - Administrator (full system access)
  • 1-15 - Regional Units (UR1 through UR15)
For detailed information about each role’s permissions, see the User Roles Guide.

Logout

Users can end their session by accessing the logout functionality: 
// logout.php
session_destroy();
header("Location: index.php");
The logout option is available in the main navigation menu for all authenticated users.

Database Connection

The system connects to PostgreSQL with the following configuration: 
$host = 'localhost';
$dbname = ''; // Database name configured per installation
$puerto = '5434';
$user = 'postgres';
Database connection parameters are hardcoded in index.php and miconexion.php. Consider moving these to a configuration file for easier maintenance.

Troubleshooting

This error appears when:
  • Username doesn’t exist in the database
  • Password doesn’t match
  • Database connection failed
Solution: Verify credentials with the system administrator.
This message indicates:
  • Session expired or was never created
  • Direct access attempt to a protected page
Solution: Return to the login page and authenticate.
If redirected to the wrong area after login:
  • Check your permisos value in the database
  • Contact administrator to update your role
Solution: User permissions need to be updated in the usuario table.

Next Steps

User Roles

Learn about different user roles and their permissions

Navigation

Explore the system’s navigation structure and modules

Build docs developers (and LLMs) love

Get started for freeTalk to us