SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    Freelance Web Designer KeithMcL's Avatar
    Join Date
    Oct 1999
    Location
    Dublin, Ireland
    Posts
    1,125
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Members & Admin area using sesions

    I'm setting up a members area on my site using php sessions. I also have an admin area which uses sessions too.

    What would be the best way to stop members that are logged in (that have session info set) from being able to access the admin area? I thought I had it setup ok, but after doing some testing I noticed that if I logged into the members area and then tried accessing the admin area, I was able to get access because the session info was already stored, albeit not with the right username and password.

    I'm still new to sessions, so go easy on me

  2. #2
    PHP manual bot bronze trophy Gaheris's Avatar
    Join Date
    Oct 2003
    Location
    Germany
    Posts
    2,195
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Instead of just looking for an existing session on every login-required page you should re-login with the session data. Doing that you could fetch any data from your database that stores the rights of the user (or simply if he's an admin or not).

  3. #3
    Freelance Web Designer KeithMcL's Avatar
    Join Date
    Oct 1999
    Location
    Dublin, Ireland
    Posts
    1,125
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK, so use the session data to query the db and if the login is incorrect display either an error or the login form again, right?

  4. #4
    PHP manual bot bronze trophy Gaheris's Avatar
    Join Date
    Oct 2003
    Location
    Germany
    Posts
    2,195
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes. The re-validating the data is of course optional since you already have logged in once but I like doing this extra check for security. The important part is to get the permissions/rights for the logged in member and check if he can access the page.

  5. #5
    Freelance Web Designer KeithMcL's Avatar
    Join Date
    Oct 1999
    Location
    Dublin, Ireland
    Posts
    1,125
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, I'll try that and see how I get on.

  6. #6
    SitePoint Zealot
    Join Date
    Apr 2003
    Location
    UK
    Posts
    152
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Talking

    I usually just give each member a user level (1-3) value in the DB

    1 being a standard user and 3 being a site admin. When they login, store their user level in the session, then keep checking against that.

    You can then display pages or additional navigation items based on their privileges. .... and like Gaheris said, perform the odd check on the DB to make sure user levels haven't changed during the session.

    Simple but effective.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •