In my site I am using accessControl for authentication and it is working fine. Now I want to password protect an action from the logged in users. An option is to create an page for entering the password and on submission store it in session. If the user tries to view the action then check the session and if it is not set redirect the user to the page for entering the password. How can I achieve this? Is it possible using accessControl as it is already used for login authentication?
First of all it is not recommended to save password in a session or cookie (this is really bad). If you save a password in a session, then it is still available to hacker if you are running your webiste on shared hosting for example. If you are saving your password in cookie then you are in a problems, because if I take your cookie, I can see your password (even if you encript your password it is not good to save it in a cookie).
So, your password should be encripted and saved in DB.
Let us now go back to the story. If your action should be available only to the logged in user, then you can use @ sign in your accessControl function, or you can make custom function which will check weather or not your user is authorised to execute an action.
The password I store in session is for second level of authenticaton. First level authentication is from database. After logging in if user want to access this action he has to enter this new password.