Sessions and user levels

[KingSpongo]

Hey all,

 

I'm having a bit of a hard time trying to understand this. I have made a successful registration and login page. I have added to the users table the "userLevel" column where 0 will be normal users and 1 will be the admin. If you login with correct details it does this:

 

$_SESSION['uid'] = $row['user_id'];

session_start();

 

Would you kindly tell me what this does and how I can set it so that admin users can see the admin pages.

 

Thank you.

[KingSpongo]

bump, can anyone help? 

[PFMaBiSmAd]

Would you kindly tell me what this does

Setting a session variable before the session_start() statement would do nothing.

 

I can set it so that admin users can see the admin pages

Assuming you won't ever need to prevent an admin from accessing anything, you would need to use a session variable to hold the "userLevel" from the database and then check in the code at the top of the 'protected' pages if the current visitor is both logged in and has a high enough userlevel to access that page. You could also check the userlevel when you are generating the navigation menus on your pages so that you only display admin level links to admin's.

[KingSpongo]

Hi PFMaBiSmAd, thank you for the reply.

 

Do you know how I can set the session variable to hold the userLevel? My login page looks like this:

 

 

<?php
session_start();
mysql_connect("localhost","root","password") or die(mysql_error());
mysql_select_db("testdata") or die(mysql_error());

if($_SESSION['uid'])  {
if($_GET['act'] == "logout")  {

session_destroy();

header("Location: login.php");
}

echo "You are already logged in! <br><br><a href='index.php?act=logout'>logout</a>\n";

} else {

?>

<form method="POST" action="login.php">
<table border="0" style="font-size:15px; font-family: Tahoma; border: 1px solid black;">
	<tr>
		<td>
			email:
		</td>
		<td>
			<input type="text" name="email" value="<?php echo $_POST['email']; ?>">
		</td>
	</tr>
	<tr>
		<td>
			Password:
		</td>
		<td>
			<input type="password" name="password" value="<?php echo $_POST['password']; ?>">
		</td>
	</tr>
	<tr>
		<td colspan="2" align="center">
			<input type="submit" name="submit" value="Login">
		</td>
	</tr>
</table>
</form>
<?php

if($_POST['submit'])  {

	$curnum = 0;

	$email = $_POST['email'];
	$password = $_POST['password'];

	if(!$email)  {
		$curnum ++;
		echo $curnum . ". enter a email!<br>\n";

	}
	if(!$password)  {
		$curnum ++;
		echo $curnum . ". You need to enter a password!<br>\n";

	}

	$sql = "SELECT * FROM users WHERE email='".$email."'";
	$res = mysql_query($sql) or die(mysql_error());
	$row = mysql_fetch_assoc($res);

	if($email)  {
		if($password)  {	
			if(mysql_num_rows($res) == 0)  {
				$curnum ++;
				echo $curnum . ". The email '<b>".$email."<b>' does not exist!<br>\n";
			}

			if(mysql_num_rows($res) == 1) {

				//the email does exist
				if($password != $row['password'])  {
					$curnum ++;
					echo $curnum .". Wrong password!<br>\n";
				}

				if($curnum == 0)  {
					$_SESSION['uid'] = $row['user_id'];

					session_start();

					echo "You have successfully logged in as '<b>".$email."</b>'<br>\n";
				}
			}

		}	
	}		




}
}


?>

 

the userLevel column is in the table users with 0 being a normal user and 1 being the admin. I appreciate any give help.

 

Thank you 

 

[KingSpongo]

Hi everyone. I read up on sessions but I'm still unsure what I have to do. With my example from my previous post am I correct with thinking that when the user logs in the correct data it makes a session (Its the last if statement near the bottom). Does anyone know what data is stored in this session? Is it the whole user record that includes the user_level?

 

I wrote this but not sure if its correct.

 

$sql2 = "SELECT * FROM users WHERE user_level='".$user_level."'";
$res2 = mysql_query($sql2) or die(mysql_error());
	$row2 = mysql_fetch_assoc($re2);


$_SESSION['uid'] = $row2['user_level'];

 

Look forward to your replies 

[KingSpongo]

shameless bump 

[TeddyKiller]

Are you trying to get a particular users user_level. What you'd do.. upon login, it'll register the session users- username, search for user_level by their username and then set the result as a session. For example..

 

<?php // If login correct, log the person in
// Register username session
$_SESSION['username'] = $_POST['username'];

//Set $user as the sessions username
$user = $_SESSION['username'];
// Grab user_level by the users username
$sql2 = mysql_query("SELECT user_level FROM users WHERE username = $user") or trigger_error('query failed: '.mysql_error);
      $row2 = mysql_fetch_array($sql2);
// Set the user_level session based on the result from the query.
$_SESSION['uid'] = $row2['user_level'];
?>

 

Is this what your after?

[KingSpongo]

Hi TeddyKiller. Thank you for the reply.

 

I think this is what I need. I just want to be able to store the users user level in the session so anyone with user level 1 can access the admin page. I'm not to sure where to put your code but i'll give it a go.

 

Many thanks

[XeNoMoRpH1030]

You'd most likely would add that when they are logging in. So, if it's a successful login, you would set all your $_SESSION variables there.

 

Also, when you logout and destroy the session, the $_SESSION scope shouldn't contain anything. As a fail safe, I generally would do $_SESSION['myvar'] = "";

 

That's probably not needed anymore, but I have no doubt the session scope is empty, or at least contains empty strings.

[TeddyKiller]

Yeah. It would be when the user gets logged in.

To allow level 1's to view admin features. on the page simply do..

 

<?php if($_SESSION['uid'] == '1'){
    Display features for admin
} ?>