Access Control with Bit Masks

Access Control with Bit Masks

6 66455
Access Control with Bit Masks

Access Control with Bit Masks

Today I want to tell you about the organization of access rights to users (on your site) using bit masks. Perhaps you have already known it, probably not, but anyway I want to give you this information. Why bit masks – easy, because this is and fast and easy way to recognize user’s possibilities. In our system, I have identified six possible actions (it will keep 6 bits, each bit – one of the possible actions). There are next actions: Read, Create, Edit Own, Delete Own, Edit Any and Delete Any (moderator’s / admin’s actions). It can be applied to everything – blogs, news articles, photos and more. Ok, lets start.

Here are a little of theory about Bitwise Operators:

Example Name Result
$a & $b And Bits that are set in both $a and $b are set.
$a | $b Or (inclusive or) Bits that are set in either $a or $b are set.
$a ^ $b Xor (exclusive or) Bits that are set in $a or $b but not both are set.
~ $a Not Bits that are set in $a are not set, and vice versa.
$a << $b Shift left Shift the bits of $a $b steps to the left (each step means “multiply by two”)
$a >> $b Shift right Shift the bits of $a $b steps to the right (each step means “divide by two”)
Live Demo
download in package

Now – download the source files and lets start coding !

Step 1. HTML

Our demo uses 3 html template files:


<!DOCTYPE html>
<html lang="en" >
    <title>Access Control with Bit Masks</title>
    <link href="css/main.css" rel="stylesheet" type="text/css" />
        <h2>Access Control with Bit Masks</h2>
        <a href="" class="stuts">Back to original tutorial on <span>Script Tutorials</span></a>
    <div class="container">

This is very easy layout, isn’t it?. Next one template file:


<div class="column">
    <h3>Access control demonstration</h3>
    <p>You can use next usernames "User", "Writer", "Moderator" and "Admin" and password "password" to login in system. Each of them have own set of possibilities.</p>
<div class="column">
    <form class="login_form" action="index.php" method="post">
        <h3>Log In</h3>
        <label>Username:</label><input type="text" name="username">
        <label>Password:</label><input type="password" name="password">
        <input type="submit" name="LogIn" value="Login">

Another one easy template for login form. Next one template file:


<div class="column">
    <h3>Hello {name}</h3>
    <h3>Your bit mask:</h3>
    <h3>Your possibilities:</h3>
<div class="column">
    <a href="index.php?logout">Log Out</a>

This is template where we will display our possibilities and link to logout.

Step 2. CSS


This file contains several styles of our page layout, no need to publish it today.

Step 3. PHP

Now, lets review our main functionality:


// define bit mask for access rights
define('CAN_READ', 1 << 0);   // 000001
define('CAN_CREATE', 1 << 1); // 000010
define('CAN_EDIT_OWN', 1 << 2);   // 000100
define('CAN_DELETE_OWN', 1 << 3); // 001000
define('CAN_EDIT_ANY', 1 << 4);   // 010000
define('CAN_DELETE_ANY', 1 << 5); // 100000
// login system init and generation code
$oSimpleAccessSystem = new SimpleAccessSystem();
$sLoginForm = $oSimpleAccessSystem->getLoginBox();
echo strtr(file_get_contents('main_page.html'), array('{form}' => $sLoginForm));
// class SimpleAccessSystem
class SimpleAccessSystem {
    // variables
    var $aMembers; // Existed members array
    // constructor
    function SimpleAccessSystem() {
        // different sets of permissions
        $sUserPerm = CAN_READ;
        $sModeratorPerm = CAN_READ | CAN_EDIT_ANY | CAN_DELETE_ANY;
        /* hash = sha1(md5('password') . 'testing'); */
        $this->aMembers = array(
            'User' => array('hash' => 'b88c654d6c68fc37f4dda1d29935235eea9a845b', 'salt' => 'testing', 'rule' => $sUserPerm),
            'Writer' => array('hash' => 'b88c654d6c68fc37f4dda1d29935235eea9a845b', 'salt' => 'testing', 'rule' => $sWriterPerm),
            'Moderator' => array('hash' => 'b88c654d6c68fc37f4dda1d29935235eea9a845b', 'salt' => 'testing', 'rule' => $sModeratorPerm),
            'Admin' => array('hash' => 'b88c654d6c68fc37f4dda1d29935235eea9a845b', 'salt' => 'testing', 'rule' => $sAdminPerm)
    // get login box function
    function getLoginBox() {
        if (isset($_GET['logout'])) { // logout processing
            if (isset($_SESSION['member_name']) && isset($_SESSION['member_pass']))
        if ($_POST && $_POST['username'] && $_POST['password']) { // login processing
            if ($this->checkLogin($_POST['username'], $_POST['password'], false)) { // successful login
                $this->performLogin($_POST['username'], $_POST['password']);
                header( "Location:{$_SERVER['REQUEST_URI']}" );
            } else { // wrong login
                ob_start(); // get template of Login form
                $sLoginForm = ob_get_clean();
                return $sLoginForm . '<h2>Username or Password is incorrect</h2>';
        } else { // in case if we already logged (on refresh page):
            if (isset($_SESSION['member_name']) && $_SESSION['member_name'] && $_SESSION['member_pass']) {
                if ($this->checkLogin($_SESSION['member_name'], $_SESSION['member_pass'])) {
                    $sRule = $this->aMembers[$_SESSION['member_name']]['rule'];
                    $sPermissions = '';
                    $sPermissions .= $this->isCanRead($sRule);
                    $sPermissions .= $this->isCanCreate($sRule);
                    $sPermissions .= $this->isCanEdit($sRule);
                    $sPermissions .= $this->isCanEditAny($sRule);
                    $sPermissions .= $this->isCanDelete($sRule);
                    $sPermissions .= $this->isCanDeleteAny($sRule);
                    ob_start(); // get template of Logout form
                    $sLogoutForm = ob_get_clean();
                    $sLogoutForm = str_replace('{name}', $_SESSION['member_name'], $sLogoutForm);
                    $sLogoutForm = str_replace('{bit_mask}', $sRule, $sLogoutForm);
                    $sLogoutForm = str_replace('{possibilities}', $sPermissions, $sLogoutForm);
                    return $sLogoutForm;
            // otherwise - draw login form
            $sLoginForm = ob_get_clean();
            return $sLoginForm;
    // check functions
    function isCanRead($sRule) {
        return ($sRule & CAN_READ) ? 'You can Read<br />' : '';
    function isCanCreate($sRule) {
        return ($sRule & CAN_CREATE) ? 'You can Create<br />' : '';
    function isCanEdit($sRule) {
        return ($sRule & CAN_EDIT_OWN) ? 'You can Edit<br />' : '';
    function isCanEditAny($sRule) {
        return ($sRule & CAN_EDIT_ANY) ? 'You can Edit anything<br />' : '';
    function isCanDelete($sRule) {
        return ($sRule & CAN_DELETE_OWN) ? 'You can Delete<br />' : '';
    function isCanDeleteAny($sRule) {
        return ($sRule & CAN_DELETE_ANY) ? 'You can Delete anything<br />' : '';
    // perform login
    function performLogin($sName, $sPass) {
        $sSalt = $this->aMembers[$sName]['salt'];
        $sPass = sha1(md5($sPass) . $sSalt);
        $_SESSION['member_name'] = $sName;
        $_SESSION['member_pass'] = $sPass;
    // perform logout
    function performLogout() {
    // check login
    function checkLogin($sName, $sPass, $isHash = true) {
        if (isset($this->aMembers[$sName])) {
            if (! $isHash) {
                $sSalt = $this->aMembers[$sName]['salt'];
                $sPass = sha1(md5($sPass) . $sSalt);
            return ($sPass == $this->aMembers[$sName]['hash']);
        return false;

First, we define the constants for access rights (bit mask). Further, when we enumerate users on the system – we grant them different sets of rights (using the logical operator | or). Keep in mind that I am not forcing you to keep users in the same array, in your case, your users can easily be in the database. And, in this case, you can grant them their right in the database itself. Further, I have added extra check functions, so that we can understand if user can perform a certain action.

In such functions we use logic operator & (and). Most of these checks uses single bit check. If you want to make multiple check, as example – lets create function to check if member can read and create. Then this function will looks like this:

    function isCanReadCreate($sRule) {
        return ($sRule & (CAN_READ | CAN_CREATE));

This function will return us True or False.

Live Demo
download in archive


I hope that it was interesting for you to remember how works bitwise and logical operands. If you have any good ideas you would like to share, be sure to write us as well. Good luck!



    • Hello Ivan,
      Please pay attention to array $this->aMembers in constructor of SimpleAccessSystem class. This is hash value (where that hash = sha1(md5(‘password value’) . ‘salt value’)

  1. Hello!
    How can I encode the password to this encrypted message, please tell me?
    Maybe there’s an online service which is to encode the password, online service probyval encode sha1 and md5 none failed.

    • Yes, sure,
      just try to type in google ‘encode md5 sha1 salt’
      The first link will follow to:
      I have checked it – pretty good service.
      After you fill-in all details and submit form, look for sha1(md5($pass).$salt) in table with results (quite at the bottom of table)

Leave a Reply