I am creating an online Alumni Tracking System for my college. There will be three types of users: Alumni, Faculty and Administrators. Alumni can do restricted/limited queries and can update their own record. Faculty can create and update all alumni records and use many queries. Administrators can create and delete faculty users.
User information is stored in two tables, Student and Faculty. In Student, there is an ID field used for the login username, and a Password field. The Faculty table includes an ID and Password field as well, but it also includes a boolean flag to signify if the Faculty user has Administrator permissions.
I want to have three levels of access corresponding to the three user types. How can I authenticate the user and save their user-type for use in deciding what pages (or sections of pages) they will have access to? I especially need to know what will go in Application.cfm. Is it better to use sessions or cookies or both? Also, how do I lock the sessions? (I have heard this is important)
I also need to know what is the best way to test if the user is allowed access to the page. Should I create an #include page for each access level that redirects them to the login if failed, and displays the page if true? Then I could just add the right #include page on each content page depending on the access level needed. Is this a good way to implement that or not?