User Levels & security

[nvee]

Hey Guys

 

I am fairly noob to PHP, but completely inlove with the language so I will definately become a FULL TIME phpfreak

 

Myself and a fellow work friend are busy developing a "client panel" for our companies website. This panel allows our clients to be able to add new services, request quotes, send support tickets ect.

 

The panel has 4 different user levels, namely

1. Client - (which does the obvious): The client has specific buttons he can click on and do relevant tasks.

2. Support - This is the lowest level in our "admin" group. Support can only access a certain amount of links and pages

3. Admin - Admin is the 2nd level, can do a little bit more than support

4. Global Admin - has additional features and can do everything support and admin does.

 

We have already created the login script and it works. The best way we figured to divide "clients" and "admin levels" would be to make it 2 different pages. We have also differenciated the admin levels and the links they can click on by putting the navigation links in the database and running 3 different SQL statements depending on the level the user is on (we pass the user id through the URL, run a if else statement which checks what user_type the user is and outputs the navigation accordingly)

 

So far this works. But we have 2 loopholes:

 

1) Basing the fact that we pass the ID in the url, this means someone can change the userid and then get access to all of the navigation buttons

2) Less likely, but if someone knows the filename of the page they cannot access, they can merely type it in the url bar and it should open it, because altough the links does not show, if they know the filename they can see the page.

 

Can anyone give us suggestions on how we can 1) Get pass the fact that someone can change their id which gets passed through the URL and 2) Get a way to protect each file so that only users with the correct priveledges can see the content.

 

My logic tells me that we must rather register the userid in the session, and do a if else statement to check if the userid = the username in the session, I think that would solve the first issue, but maybe someone else has a better and more secure method of doing so.

 

Thanks in advance!

nVee

[haku]

You have the right idea for the first issue. Pass their info in a session variable, not the URL. But one thing to keep in mind is that rather than having one session variable with four possible values, for example:

 

$_SESSION['status'] = 'client';
$_SESSION['status'] = 'support';
etc.

 

For security's sake, it's better to have four different sessions:

 

$_SESSION['client'] = TRUE;
$_SESSION['support'] = TRUE;

 

And to make it even more secure, assign other names that aren't 'client', 'support'.

 

For your second issue, just do a check to see if they have the right user level.

 

if(isset($_SESSION['support']) && $_SESSION['support'])
{
  // do stuff that support can do
}