litebearer Posted April 15, 2010 Share Posted April 15, 2010 I have looked at and tried numerous ways of restricting certain pages to authorized users/viewers. Have tried to determine what method/coding is easiest and best. example (guest would have view and login on their menus. the login process page would check the data to see if it is a registered user - I know how to add users and check if user is registered.) <?PHP session_start(); ######################################################## # check to see if a guest or a user ######################################################## if (isset($_SESSIONS['auth_level']) { $auth_level = $_SESSIONS['auth_level']; }else{ $auth_level = 0; $_SESSIONS['auth_level'] = 0; } Thoughts/suggestions? Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted April 15, 2010 Share Posted April 15, 2010 Someone could inject auth_type into their session. It would be better to track users with a session id and have auth_level as a column in MySQL Quote Link to comment Share on other sites More sharing options...
ignace Posted April 15, 2010 Share Posted April 15, 2010 Someone could inject auth_type into their session. It would be better to track users with a session id and have auth_level as a column in MySQL How would someone in the above code inject auth_type? Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted April 15, 2010 Share Posted April 15, 2010 http://php.find-info.ru/php/004/phpsec-CHP-8-SECT-3.html Quote Link to comment Share on other sites More sharing options...
TeddyKiller Posted April 15, 2010 Share Posted April 15, 2010 Yeah.. just check for sessions. You also have a syntax error, you have an unexpected {, expecting ) Although i've put it in, in the code below. 0 = guest If the result is bigger than one.. then like.. thats either, member, premium, admin etc etc but that don't matter. if (isset($_SESSION['auth_level']) && isset($_SESSION['user_id'])) { $auth_level = $_SESSION['auth_level']; } else { $auth_level = '0'; $_SESSIONS['auth_level'] = 0; //Remove this, it is pointless. You are assigning the session as false, even though.. it is false. } if($auth_level == '0') { echo 'You are a guest'; } if($auth_level == '1' ) { echo 'You are a member'; } if($auth_level == '2') { echo 'You are admin'; } Just an example Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 15, 2010 Author Share Posted April 15, 2010 Thanks for the replies. --- Teddy... yes error was due to my typo of leaving out a closing parens on the IF line. And for my purposes there would only be two level - 0 for viewing only, and 2 for view/add/edit/delete purposes. --- Andrew... I read the link you provided and am still a bit confused (remember: A. I am old codger -64; B. I do this for fun NOT profit; AND C. I only know enough to be dangerous LOL). If I am interpreting correctly, I must access the database on each page to verify username, etc? OR Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted April 16, 2010 Share Posted April 16, 2010 I researched what I was told about sessions, and found the information false! I was told that Sessions were stored on the client and were subject to tampering. I have since learned that sessions are securely held on the server, and can only be accessed by the program that initiates them. I do believe, that I will be using sessions in the future with this new knowledge. I am truly sorry for spreading misinformation. Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 16, 2010 Author Share Posted April 16, 2010 Andrew, no problem. Simply the exuberance of youth. So once my login process page sets the session variable, all I need to do on every other page is check its value? (rhetorical or NOT depending if I am righ tor wrong ROFL) Quote Link to comment Share on other sites More sharing options...
TeddyKiller Posted April 16, 2010 Share Posted April 16, 2010 Is best to check by id too, or a hash for better security. If someone was to tamper with the code, they can easily pick up 0 or 2 for a certain session, and set it for themselves. Meaning they can gain access... Same for ID.. I guess. With a hash, it's pretty hard for a tamperer to make a session hash. Hash is usually made out of.. sha1(id, ip address, secret key) Secret key being a random string in the config file or whatever. Pretty damn makes it hard for some hacker to figure it out. Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 16, 2010 Author Share Posted April 16, 2010 Teddy... Looking at your example, where do you verify that the user_id session variable is a valid id value? Quote Link to comment Share on other sites More sharing options...
TeddyKiller Posted April 16, 2010 Share Posted April 16, 2010 Your best off with a function if your going to include something like below on most pages. if (isset($_SESSION['auth_level']) && isset($_SESSION['user_id'])) { $query = mysql_query("select * from users where id='".$_SESSION['user_id']."'"); if(mysql_num_rows > 0) { $auth_level = $_SESSION['auth_level']; } else { $auth_level = '0'; unset($_SESSION['auth_level']); unset($_SESSION['user_id']); } } else { $auth_level = '0'; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.