RalphLeMouf Posted February 10, 2011 Share Posted February 10, 2011 Hello all, I have a social network site that has users. Each user has a profile and a id. Myself and two other people are admins and are granted access to certain pages via $admin = true . I have recently hashed everyones passwords. I need to allow admins the ability to proxy a user or login as a different user or become another user for moderation purposes. via OOP there is a $auth->id which is the person's id who is logged in or their user id and $prof->id which is another persons id I am looking at. Meaning if I am looking at someones profile, it is their user id. I am trying to figure out a simple page to create where if $admin you can type a desired id in a input box, press enter and you are all of a sudden logged in as that id. Thanks in advance Link to comment https://forums.phpfreaks.com/topic/227294-granting-admins-access-to-proxy-normal-users/ Share on other sites More sharing options...
btherl Posted February 11, 2011 Share Posted February 11, 2011 A simpler approach might be to make a master password, known only to admins, which allows logging in to any account. Then you don't have to think about the implications of changing user id half way through running a script. Link to comment https://forums.phpfreaks.com/topic/227294-granting-admins-access-to-proxy-normal-users/#findComment-1172552 Share on other sites More sharing options...
RalphLeMouf Posted February 11, 2011 Author Share Posted February 11, 2011 I'm open for that...how would one go about doing that? New to me. Thanks! Link to comment https://forums.phpfreaks.com/topic/227294-granting-admins-access-to-proxy-normal-users/#findComment-1172581 Share on other sites More sharing options...
btherl Posted February 11, 2011 Share Posted February 11, 2011 That would depend on your login code. Wherever it checks the username and password and sets the userid, you can alter it so it will accept any username with your master password, and then continue on as it usually would. I can't really be more specific without seeing the code. Link to comment https://forums.phpfreaks.com/topic/227294-granting-admins-access-to-proxy-normal-users/#findComment-1172602 Share on other sites More sharing options...
RalphLeMouf Posted February 11, 2011 Author Share Posted February 11, 2011 Here the code from the login page I would use: if(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) { $query = "SELECT `encrypted_password`,`salt` FROM `Users` WHERE `Email` = '" . stripslashes(mysql_real_escape_string($_POST['email'])). "'"; $request = mysql_query($query,$connection) or die(mysql_error()); $result = mysql_fetch_array($request); $salty_password = sha1($result['salt'] . stripslashes(mysql_real_escape_string($_POST['password']))); $query2 = "SELECT * FROM `Users` WHERE `Email` = '". stripslashes(mysql_real_escape_string($_POST['email']))."' AND `encrypted_password` = '$salty_password'"; $request2 = mysql_query($query2,$connection) or die(mysql_error()); $result = mysql_fetch_array($request2); $_SESSION['CLIFE']['AUTH'] = true; $_SESSION['CLIFE']['ID'] = $result['id']; $query = "UPDATE `Users` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1"; mysql_query($query,$connection); if(!empty($_POST['return'])) { header("Location: " . $_POST['return']); }else{ header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']); } }else{ echo "second if statment chooses the else option<br />"; $_SESSION['CLIFE']['AUTH'] = false; $_SESSION['CLIFE']['ID'] = false; } ?>[/code] and the post fields to activate this look like this: <input type="text" name="email" class="text" value="<?php if(isset($formError) && $formError == "true") { echo stripslashes($_POST['email']); } ?>" /> <input type="password" name="password" class="text" value="<?php if(isset($formError) && $formError == "true") { echo stripslashes($_POST['password']); } ?>" /> I might be slightly foggy on the concept of the master password: When a user signs in they use their email as username and then password, your suggesting you just enter the email of the user you want to proxy and then the master password will log you in to that specific account? Thanks Link to comment https://forums.phpfreaks.com/topic/227294-granting-admins-access-to-proxy-normal-users/#findComment-1172750 Share on other sites More sharing options...
btherl Posted February 13, 2011 Share Posted February 13, 2011 Yes, that's exactly what I'm suggesting. Something like this: if ($_POST['password'] == 'master_password') { $query2 = "SELECT * FROM `Users` WHERE `Email` = '". stripslashes(mysql_real_escape_string($_POST['email'])); $request2 = mysql_query($query2,$connection) or die(mysql_error()); $result = mysql_fetch_array($request2); } else { $query2 = "SELECT * FROM `Users` WHERE `Email` = '". stripslashes(mysql_real_escape_string($_POST['email']))."' AND `encrypted_password` = '$salty_password'"; $request2 = mysql_query($query2,$connection) or die(mysql_error()); $result = mysql_fetch_array($request2); } If you want to provide the same level of security for the master password as you do for other passwords, you can store it as a sha1() hash, and compare the hashes. The code I've written here has the password unencrypted, meaning anyone who sees the code will know the password. Link to comment https://forums.phpfreaks.com/topic/227294-granting-admins-access-to-proxy-normal-users/#findComment-1173817 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.