PHP Session Redirect Based On User Level

oli_d111 · October 12, 2019, 6:40pm

Hi All

New day new issue .

I’m working on a login system that currently redirects the user based on the user_level column in the db. on the login page, i have set the session variables as follows:-

// Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["id"] = $id;
                            $_SESSION["email"] = $email;
                            $_SESSION["user_level"] = $userlevel;
                            
                            if ($_SESSION["user_level"]==50){ 
                                header("location: admin/admin.php");
                                exit;
                        }
                        else {
                            header("location: dealer.php");
                            exit;}

The redirection based on user level works fine. The issue i have is, once the user is logged in, the session is not restricting access to the admin page if the user was to try and guess the correct url. Currently i have:-

// Initialize the session
session_start();
 
// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
    if ($_SESSION["user_level"]==50){ 
        header("location: admin/admin.php");
        exit;
}
else {
    header("location: dealer.php");
    exit;}
else {
    header("location: login.php");
    exit;}
}

Any advice would be much appreciated.

vincekaribusana · October 12, 2019, 9:42pm

In the admin.php check if user has session level 50 (I suppose this is the admin level) if not then redirect to another page

John_Betong · October 13, 2019, 4:15am

In the second script please add these lines at the beginning and an error will be shown:

<?php DECLARE(STRICT_TYPES=1);
error_reporting(-1);
ini_set('display_errors',  '1');

// Initialize the session
session_start();
 
// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
    if ($_SESSION["user_level"]==50){ 
        header("location: admin/admin.php");
        exit;
}
else {
    header("location: dealer.php");
    exit;}
else {
    header("location: login.php");
    exit;}

Amendment:

// INCORRECT - with a period
ini_set('display_errors'.  '1');

// CORRECT - with a comma
ini_set('display_errors',  '1');

oli_d111 · October 13, 2019, 7:11am

Hi John

Thanks but the only error i got was that ini_set expects 2 parameters but only 1 was given? if you’re referring to my if else statements i corrected these late last night lol.

<?php
// Initialize the session
session_start();
 
// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
    if ($_SESSION["user_level"]==50){ 
        header("location: admin/admin.php");
        exit;
}
else if ($_SESSION["user_level"]==1){
    header("location: dealer.php");
    exit;}
else {
    header("location: login.php");
    exit;}
}
?>

Unfortunately this isn’t restricting access to the admin pages. Please can you let me know where i’m going wrong.

John_Betong · October 13, 2019, 8:01am

Please see the amendment to my post #3 - there was a period instead of a comma.

//

The error I encountered in your post #1 was there was two consecutive else statements, one after the other. Your latest script now has an added IF

//

Please amend your script with the incorrect period and try again.

//

I prefer testing for positives and else do negatives:

<?php DECLARE(STRICT_TYPES=1);
error_reporting(-1);
ini_set('display_errors', '1');

session_start();
 
// CHECK IS USER LOGGED IN
if( isset($_SESSION['loggedin']) && $_SESSION['loggedin'] ) 
{    
  if (50===$_SESSION['user_level']) 
  {
    $hdr = 'admin/admin.php';
  } // endif;

  // logged in BUT not ADMIN
  $hdr = 'dealer.php';

}else{  // NOT LOGGED IN -  redirect to login page';
  $hdr = 'login.php';
}// endif;

// DEBUG - TEST 
if(TRUE) 
{    
  echo $hdr;
  exit;
} // endif;

header('location: ' .$hdr);
// exit; not required

oli_d111 · October 13, 2019, 8:30am

Hey John, i appreciate the feedback, thank you. The only error i got was:-
session_start(): A session had already been started - ignoring in /#/login.php on line 66

Unfortunately, it seems to be sending me to dealer.php regardless of user level. Could this be something to do with how i’ve set it in the login page?

if(password_verify($password, $hashed_password)){
                            // Password is correct, so start a new session
                            session_start();
                            
                            // Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["id"] = $id;
                            $_SESSION["email"] = $email;
                            $_SESSION["user_level"] = $userlevel;
                            
                            if ($_SESSION["user_level"]!= 50){ 
                                header("location: dealer.php");
                                exit;
                        }
                        else if ($_SESSION["user_level"] == 50){
                            header("location: admin/admin.php");
                            exit;}
                    
                        } else{
                            // Display an error message if password is not valid
                            $password_err = "The password you entered was not valid.";
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $email_err = "No account found with that email or account awaiting approval.";
                }
            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }
        }
        
        // Close statement
        $stmt->close();

John_Betong · October 13, 2019, 9:20am

It is essential that the first error is cleared and once OK then the other errors will also clear:

ONLY one session_start() is ALLOWED per session

if( isset($_SESSION) ) {
  session_start();
}

Edit:

Unfortunately, it seems to be sending me to dealer.php regardless of user level. Could this be something to do with how i’ve set it in the login page?

Because of the previous session already declared error then the the session will not be tested and the default will apply.

oli_d111 · October 13, 2019, 9:23am

Thanks John.

Do I not need session start() at the start of each page also? Or do I just include the $_SESSION variables?

John_Betong · October 13, 2019, 9:24am

Once a session has been declared then it applies to the current page and all included pages.

rpkamp · October 13, 2019, 10:00am

There, fixed that for you

oli_d111 · October 14, 2019, 6:30am

Thanks John.

Is there any reason. I believe this Session issue is now cured. The only issue I have remaining is that a user can still access the admin pages if they were a to guess the correct url.

Are there any further measures to restrict access. Should I have admin on another table?

John_Betong · October 14, 2019, 7:38am

Try pasting "https://YOUR-SITE.com/admin/admin.php’; into your browser and see what happens.

You may have access due to the session variables set. If they are then clear the session using the following:

<?php 
session_destroy() ;

system · January 13, 2020, 2:38pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.