Identify group of a user?

[zid]

Hi, trying to build a little page where users can login, and if a user is member of group 1, its an admin, group 2 moderator and group 3 a contributor.

As of now I set a $_SESSION['userid'] and the membership as a session...$_SESSION['group'], is this a BAD BIG NO NO?

 

And when the page renders I use an if statement to see if a user is logged in $_SESSION['userid'] is set and if he/she belongs to a group if the session group is set.

 

Should I reconsider this? Might have a feeling its wrong approach, but was easy to create.

[TrickyInt]

Hello!

 

Because users aren't able to change session data, i think it is safe enough - but of course, pretty much anything can become even more secure. There is though the risk of session hijacking.

 

But you could re-check if the user is admin, whenever the user performs a admin only task - like deleting another using or so.

Something like this:

<?php
$query = $db->prepare("SELECT group FROM users WHERE userid = ?");
$query->execute(array($_SESSION['userid']));
$r = $query->fetch();

if($r['group'] == 1) {
echo 'Approved';
} else {
echo 'Not admin';
}
?>

Probably not the best code, but it gives you an idea.

I would run this when performing the admin-only task, and when showing the links, buttons or whatever you have, which links to the page, which performs the action, i would just check whether the $_SESSION['gruoup'] is equal to admin/1.

[mac_gyver]

your session variable $_SESSION['userid'] is the only thing that is 'fixed' for a user. a user could have his group membership changed (or even change his display name) on the fly. so, for completely general purpose, fool proof code, you should only identify who a user is through a session variable and query on each page request to find out anything else about them.