Session Management for Page Access Privileges

session

#1

Hi All,

I have developed a small site which has a login and registration system.
Some general information about the site:
Some pages are visible only to registered members.
Some pages with access control are limited to users with high privileges.

The issue I am having is with one of my pages that has privileged access. The normal privilege check works as expected, but I need to add another check to this specific page based on the status of another table. The status of the second table can be either 0, 1, 2… 9.

As a user with access rights of 2+ you are able to view the page. However, I need this to then also check another status table. If your status in the other status table is 0, you must be able to view the page, however if your status is 1, you need to get a message to say that you have already submitted your information and no longer have access to this page. I hope my explanation is no too confusing.

Here is what I currently have:

<?php
/* Displays user information and some useful messages */
ini_set('display_errors',1); error_reporting(E_ALL | E_STRICT);

session_start();

/* FIRST CRITERIA CHECK - CHECK IF THE USER IS LOGGED IN OR NOT */
if ($_SESSION['logged_in'] != 1 ) {
  $_SESSION['message'] = "Please Login / Register to view the Bulk Lug Content!";
  header("location: error.php");    
}

/* SECOND CRITERIA CHECK - IF FIRST SESSION CHECK IS VALID, DO A SECOND CHECK TO ENSURE THE ACCOUNT HAS BEEN ACTIVATED, AND ONLY ALLOW ACCESS TO ACTIVATED ACCOUNTS */
else
if ($_SESSION['active'] < 1 ) {
  $_SESSION['message'] = "Your account has not yet been activated!";
  header("location: error.php"); 
}
/* THIRD CRITERIA CHECK - CHECK THE USER PRIVILEGE / ACCESS LEVEL, AND ONLY ALLOW ACCESS TO TO USERS WITH A ACCESS LEVEL OF 2+  */
else
if ( $_SESSION['active'] < 2 ) {
  $_SESSION['message'] = "You do not have sufficient privileges to view this page!";
  header("location: error.php");   
}

/* FORTH CRITERIA CHECK - NEED TO VALIDATE THAT USER HAS NOT ALREADY COMPLETED THE SURVEY, IF THEY HAVE COMPLETED THE SURVEY, ACCESS MUST BE DENIED. THIS IS DETERMINED BY THE SURVEY STATUS TABLE AND WILL NOT FORM PART OF THE SESSION INFO.  */

/* FIFTH CRITERIA CHECK - IF ALL ACCESS CRITERIA HAVE BEEN MET, ALLOW THE USER TO VIEW THE PAGE.  */
else {
    // Makes it easier to read
    $fname = $_SESSION['fname'];
    $lname = $_SESSION['lname'];
    $email = $_SESSION['email'];
    $active = $_SESSION['active'];
    $rand = rand(00001, 5000);    
}
?>

I need help adding the forth criteria, as my attempts have failed. This is basically what I have tried in the forth criteria, but when I add it, the page fails to load and I just get a white screen:

$result = $conn->query("SELECT * FROM survey_status WHERE email='$email' AND status = 1 ");

else
if ( $result->num_rows > 0 ){ // CHECKING THAT THE USER HAS NOT YET COMPLETED THE SURVEY
    $_SESSION['message'] = "We are sorry, but you have already completed this survey and you no longer have access to this page!";
   header("location: error.php");

Thanking you for your assistance in advance.


#2

I don’t see anywhere in your PHP code where you connect to the database - was that missed out for clarity? Without that, your query won’t work, of course.

Also, if you are inserting that code as your fourth check where the comment is, you haven’t assigned a value to $email at that point, it gets created later in the code.


#3

A couple things. NEVER EVER put variables in your query.

  1. Use Prepared Statements.
  2. You need to kill the script after header redirects or the script will keep running.
  3. If you code properly you do not have to put error messages in a SESSION
// Makes it easier to read

No, no, and no. Do not create variables for nothing.


#4

Thanks for your reply, I start the session at the top of the page using session start(); this should have stored the email address from the login of the session? Or am I incorrect?

I have my database connection file externally and I reference it at the top of the page… I didn’t include these two bits of code because I didn’t think there were required.


#5

I have to admit the I am not professional at writing PHP scripts as it’s something I do more as a hobby and when I get time, hence I’m not entirely comfortable using / creating prepared statements.

Perhaps you could clarify your comment on the killing of the script after the header redirects? Do I close the session after each head? Or what exactly do you mean?

Is the point of the session message not to tell the user that they have done something wrong? Or am I using this incorrectly?

Do not create variables? Are variables not better for echo results in the page it’self etc?

Thanks.


#6

Thanks for the comments, I have managed to solve my issue. For some reason, the page wasn’t liking the placement of my query. On moving my query to the top of the page, just above my first check the page functioned as expected.


#7

That will allow access to the $_SESSION array, it will not automatically populate discrete variables such as $email and the like.

That’s fine, but it’s difficult to tell whether you’ve missed them out of the post just here, or they’re missing in your actual code.

What @benanamen means is that while the header() function outputs the header, it does not stop the code running. So in your sample code, when it checks each criteria and does a header redirect, it will carry on running the code. It probably won’t make any difference in your case as everything else is surrounded by else clauses, but you should immediately follow the header redirect with an exit() statement.

What should it do? If your code gets past all the various checks, it sets some session variables and then appears to do nothing at all. Or is that code that you’ve missed out because it’s not relevant?

It’s really not that difficult once you get into the swing of it, and it’s definitely worth getting used to.


#8

Thanks for your detailed explanations, it really makes more sense now. I hate when you ask a question in other forums people give you sarcastic answers instead of just assisting.

Eventually I managed to get this working, but I think I would not have been able to if it wasn’t for the way you had asked your questions.

I did forget, on starting the session, I moved all the variables from criteria 5 to just after session (email, fname, & lname) the other variables I left at criteria 5 cause this is where they need to be checked.

I think just for safety purposes I will add in exit(); after each header redirect.

And, lastly yes I left out the irrelevant code. If all checks are passed, the survey page with the questions loads, all of which is now working.

I just think that I don’t code enough to actually remember what I have learnt, especially as my work doesn’t involve coding, but these past two weeks I have had a lot more free time and a friend asked me to work on this project for them, and in doing so I have learnt a lot.

Thanks again for the help, I really do appreciate it.