Using session variables to determine site admin access - secure or not?

Hi All,

Firstly I’d like to point out that while I’m creating a live site for a local club I am a college student and this semester is my first introduction to php so please don’t get extremely technical in any replies :slight_smile:

My site is set up to authenticate users by accepting the username and password, running an md5 hash on the password and comparing it to the stored username and md5 hashed password in my MySQL database. If a user is authenticated successfully I take all the information in the “Users” table relating to the user and store it within a session variable for ease of access later. I’m sure this is all pretty standard stuff so far.

Within the users table I have a field called “Admin” which is default of “NO” when a new user is created. What I am doing with my administration page is running my normal authentication checks and then checking to see if the session variable “Admin” is set to “YES”. If so the admin is logged in, if not the user is redirected to the homepage. This should work since a user who is not logged in will not get as far as the admin check, in my beginners opinion anyway.

I’m wondering if anybody has used this method of authentication before and if it’s actually secure or can someone with a bit of experience gain access to and change the session variables or otherwise work around this method?

Many thanks in advance,


In case my explanation wasn’t up to scratch here’s the admin authentication script which is include_once on the admin restricted pages. I can also post the basic authentication script if this would possible affect the security of the site. The user information is stored by using mysql_fetch_assoc and storing the result in $_SESSION[‘user]’

$admin = FALSE;
 if($_SESSION['user']['Administrator'] =='YES')
   $admin = TRUE;

  header('Location: index.php');

Sessions are pretty secure. Unlike cookies they can’t be modified from the browser. That code should be fine.

However what I’d recommend is for you just store the logged in ID in the session and reclarify all of the information on every load. That way if a user is playing foul, and is downgraded/blocked by another administrator, they would no longer be a member on the next page load.

Thanks Jake,

I think what you’re suggesting is to maybe re-check the important fields like is a member active or inactive on every load? As it is the $_SESSION[‘user’] is very handy for things like displaying the user’s name or throwing up membership expiration warnings.

Would trimming the query to include only these types of information and recheck if user is banned on every load achieve the same result as your suggestion for trimming to the logged in ID or were you suggesting a smarter way to achieve the same result?

What Jake says is, not to create an array, containing user’s all the information and storing it into the session ($_SESSION[‘user’]). Instead just store the userid (the unique identifier of users i.e. the Primary key of user table) in session
$_SESSION[‘user’] = $current_users_userid;

And on each and every page make a Retrieve call on DB to fetch all other information (like name, email, whether Admin YES or NO) from the row where user_table.userid = $_SESSION[‘user’];
This makes you application more secure. The only drawback is it will increase your DB server activity, page load time etc.