easiest/best way of protecting user pages

[litebearer]

I have looked at and tried numerous ways of restricting certain pages to authorized users/viewers.  Have tried to determine what method/coding is easiest and best.

 

example (guest would have view and login on their menus. the login process page would check the data to see if it is a registered user - I know how to add users and check if user is registered.)

 

<?PHP
session_start();

########################################################
# check to see if a guest or a user
########################################################
if (isset($_SESSIONS['auth_level']) {
  $auth_level = $_SESSIONS['auth_level'];
}else{
  $auth_level = 0;
  $_SESSIONS['auth_level'] = 0;
}

 

 

Thoughts/suggestions?

[andrewgauger]

Someone could inject auth_type into their session.  It would be better to track users with a session id and have auth_level as a column in MySQL

[ignace]

Someone could inject auth_type into their session.  It would be better to track users with a session id and have auth_level as a column in MySQL

 

How would someone in the above code inject auth_type?

[andrewgauger]

http://php.find-info.ru/php/004/phpsec-CHP-8-SECT-3.html

[TeddyKiller]

Yeah.. just check for sessions. You also have a syntax error, you have an unexpected {, expecting ) Although i've put it in, in the code below.

0 = guest

If the result is bigger than one.. then like.. thats either, member, premium, admin etc etc but that don't matter.

if (isset($_SESSION['auth_level']) && isset($_SESSION['user_id'])) {
    $auth_level = $_SESSION['auth_level'];
} else {
    $auth_level = '0';
    $_SESSIONS['auth_level'] = 0; //Remove this, it is pointless. You are assigning the session as false, even though.. it is false.
}

if($auth_level == '0') { 
    echo 'You are a guest';
}
if($auth_level == '1' ) {
    echo 'You are a member';
}
if($auth_level == '2') {
    echo 'You are admin';
}

Just an example

[litebearer]

Thanks for the replies.

---

Teddy...

yes error was due to my typo of leaving out a closing parens on the IF line.

And for my purposes there would only be two level - 0 for viewing only, and 2 for view/add/edit/delete purposes.

---

Andrew...

I read the link you provided and am still a bit confused (remember: A. I am old codger -64; B. I do this for fun NOT profit; AND C. I only know enough to be dangerous LOL).

 

If I am interpreting correctly, I must access the database on each page to verify username, etc?

OR

 

[andrewgauger]

I researched what I was told about sessions, and found the information false!  I was told that Sessions were stored on the client and were subject to tampering.  I have since learned that sessions are securely held on the server, and can only be accessed by the program that initiates them. I do believe, that I will be using sessions in the future with this new knowledge.  I am truly sorry for spreading misinformation. 

[litebearer]

Andrew, no problem. Simply the exuberance of youth.

 

So once my login process page sets the session variable, all I need to do on every other page is check its value? (rhetorical or NOT depending if I am righ tor wrong ROFL)

[TeddyKiller]

Is best to check by id too, or a hash for better security.

If someone was to tamper with the code, they can easily pick up 0 or 2 for a certain session, and set it for themselves. Meaning they can gain access... Same for ID.. I guess.

With a hash, it's pretty hard for a tamperer to make a session hash. Hash is usually made out of..

sha1(id, ip address, secret key)

Secret key being a random string in the config file or whatever. Pretty damn makes it hard for some hacker to figure it out.

[litebearer]

Teddy...

 

Looking at your example, where do you verify that the user_id session variable is a valid id value?

[TeddyKiller]

Your best off with a function if your going to include something like below on most pages.

if (isset($_SESSION['auth_level']) && isset($_SESSION['user_id'])) {
    $query = mysql_query("select * from users where id='".$_SESSION['user_id']."'");
    if(mysql_num_rows > 0) {
        $auth_level = $_SESSION['auth_level'];
    } else {
        $auth_level = '0';
        unset($_SESSION['auth_level']);
        unset($_SESSION['user_id']);
    }
} else {
    $auth_level = '0';
}