Restricting access through sessions

[eldan88]

Hey Guys. I have created a function to restrict user access if a user_id has been set and if the session access level is  0 or 1.

 

The page that I am trying to restrict access for if not logged is, user.php.

 

When I go to directly to user page "user.php?jon" for the first time its redirects me to the index.php. When I go to user.php?jon for the second time it takes me to me the user.php for jon .

 

The reason is because my condition says to redirect the user to the index page if the user_name is not set and if the access level is not set.

 

When someone enters in  the uri user.php?jon for the first time it doesn't get set, only after they hit enter  on the address bar the user_id "jon" get set.

 

The issue is with the session access level. It has an or expression which I think, tells the server if none the sessions access level is set to 1 or 0 then bypass.

 

What I am really trying to say is the session must have an access level of 1 or 0 otherwise redirect page. But it does seem to be working.

 

Does anyone have any suggestions. Below is the actual code.

<?php session_start();

function confirmed_admin_logged_in(){
return isset($_SESSION['user_id']) && ($_SESSION['access'] == 0);
}

function confirmed_store_owner_logged_in() {
return isset($_SESSION['user_id']) && ($_SESSION['access'] == 1 || $_SESSION['access'] == 0) ; // The issue might be from this line
}


function admin_logged_in() {
if (!confirmed_admin_logged_in()) {
 goto_page("https://index.php/"); }
}


 function admin_and_store_logged_in() {
if(!confirmed_store_owner_logged_in() && !isset($_SESSION['access'])) {
        goto_page("index.php/");
	}
}

[requinix]

All you did was post some functions. How about posting how those functions are being used? And where the session values are being set?

[eldan88]

Hey Requinix! I went through the files that where using the function, and saw the problem! Thank you!