I'm setting up a members area on my site using php sessions. I also have an admin area which uses sessions too.
What would be the best way to stop members that are logged in (that have session info set) from being able to access the admin area? I thought I had it setup ok, but after doing some testing I noticed that if I logged into the members area and then tried accessing the admin area, I was able to get access because the session info was already stored, albeit not with the right username and password.
Instead of just looking for an existing session on every login-required page you should re-login with the session data. Doing that you could fetch any data from your database that stores the rights of the user (or simply if he's an admin or not).
Yes. The re-validating the data is of course optional since you already have logged in once but I like doing this extra check for security. The important part is to get the permissions/rights for the logged in member and check if he can access the page.
I usually just give each member a user level (1-3) value in the DB
1 being a standard user and 3 being a site admin. When they login, store their user level in the session, then keep checking against that.
You can then display pages or additional navigation items based on their privileges. .... and like Gaheris said, perform the odd check on the DB to make sure user levels haven't changed during the session.
Bookmarks