Jump to content
Adamhumbug

How to store user permissions securely

Recommended Posts

HI All,

Currently when my users log into my site i store their user level in a session.  This allows admins to see more than normal users.

I am worried that it would be very easy for someone to amend the session and give themselves admin rights.

I am asking for advice on best practice for setting the user level of the logged in user.

Where would you suggest i store this information so that only admins see the admin stuff.

My navbar has a PHP if test running against $_SESSION['user_level'] and only admins see the admin panal.

Share this post


Link to post
Share on other sites
1 hour ago, Adamhumbug said:

Currently when my users log into my site i store their user level in a session

the only user information you should store in a session variable is the user id. you should query on each page request to get any other user related data, which you would store in a general program variable/object, named as to the meaning of the data. the reason for doing this is so that any changes to the values will take place immediately (on the next page request.) by storing the values in session variables, they will only reflect any changes when someone logs in again. once you retrieve the user related data from wherever it is persistently stored, you would use it for determining both what the user can do and what the user can see on each page.

1 hour ago, Adamhumbug said:

I am worried that it would be very easy for someone to amend the session and give themselves admin rights.

what makes you think that? do you have code on your site that allows users to create or edit php program variables?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.