I’m working on a login system that currently redirects the user based on the user_level column in the db. on the login page, i have set the session variables as follows:-
// Store data in session variables
$_SESSION["loggedin"] = true;
$_SESSION["id"] = $id;
$_SESSION["email"] = $email;
$_SESSION["user_level"] = $userlevel;
if ($_SESSION["user_level"]==50){
header("location: admin/admin.php");
exit;
}
else {
header("location: dealer.php");
exit;}
The redirection based on user level works fine. The issue i have is, once the user is logged in, the session is not restricting access to the admin page if the user was to try and guess the correct url. Currently i have:-
// Initialize the session
session_start();
// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
if ($_SESSION["user_level"]==50){
header("location: admin/admin.php");
exit;
}
else {
header("location: dealer.php");
exit;}
else {
header("location: login.php");
exit;}
}
In the second script please add these lines at the beginning and an error will be shown:
<?php DECLARE(STRICT_TYPES=1);
error_reporting(-1);
ini_set('display_errors', '1');
// Initialize the session
session_start();
// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
if ($_SESSION["user_level"]==50){
header("location: admin/admin.php");
exit;
}
else {
header("location: dealer.php");
exit;}
else {
header("location: login.php");
exit;}
Amendment:
// INCORRECT - with a period
ini_set('display_errors'. '1');
// CORRECT - with a comma
ini_set('display_errors', '1');
Thanks but the only error i got was that ini_set expects 2 parameters but only 1 was given? if you’re referring to my if else statements i corrected these late last night lol.
<?php
// Initialize the session
session_start();
// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
if ($_SESSION["user_level"]==50){
header("location: admin/admin.php");
exit;
}
else if ($_SESSION["user_level"]==1){
header("location: dealer.php");
exit;}
else {
header("location: login.php");
exit;}
}
?>
Unfortunately this isn’t restricting access to the admin pages. Please can you let me know where i’m going wrong.
Hey John, i appreciate the feedback, thank you. The only error i got was:-
session_start(): A session had already been started - ignoring in /#/login.php on line 66
Unfortunately, it seems to be sending me to dealer.php regardless of user level. Could this be something to do with how i’ve set it in the login page?
if(password_verify($password, $hashed_password)){
// Password is correct, so start a new session
session_start();
// Store data in session variables
$_SESSION["loggedin"] = true;
$_SESSION["id"] = $id;
$_SESSION["email"] = $email;
$_SESSION["user_level"] = $userlevel;
if ($_SESSION["user_level"]!= 50){
header("location: dealer.php");
exit;
}
else if ($_SESSION["user_level"] == 50){
header("location: admin/admin.php");
exit;}
} else{
// Display an error message if password is not valid
$password_err = "The password you entered was not valid.";
}
}
} else{
// Display an error message if username doesn't exist
$email_err = "No account found with that email or account awaiting approval.";
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
$stmt->close();
Is there any reason. I believe this Session issue is now cured. The only issue I have remaining is that a user can still access the admin pages if they were a to guess the correct url.
Are there any further measures to restrict access. Should I have admin on another table?