How to store user permissions securely

[Adamhumbug]

HI All,

Currently when my users log into my site i store their user level in a session.  This allows admins to see more than normal users.

I am worried that it would be very easy for someone to amend the session and give themselves admin rights.

I am asking for advice on best practice for setting the user level of the logged in user.

Where would you suggest i store this information so that only admins see the admin stuff.

My navbar has a PHP if test running against $_SESSION['user_level'] and only admins see the admin panal.

[mac_gyver]

1 hour ago, Adamhumbug said:

Currently when my users log into my site i store their user level in a session

the only user information you should store in a session variable is the user id. you should query on each page request to get any other user related data, which you would store in a general program variable/object, named as to the meaning of the data. the reason for doing this is so that any changes to the values will take place immediately (on the next page request.) by storing the values in session variables, they will only reflect any changes when someone logs in again. once you retrieve the user related data from wherever it is persistently stored, you would use it for determining both what the user can do and what the user can see on each page.

1 hour ago, Adamhumbug said:

I am worried that it would be very easy for someone to amend the session and give themselves admin rights.

what makes you think that? do you have code on your site that allows users to create or edit php program variables?

[Adamhumbug]

On 12/4/2019 at 3:20 PM, mac_gyver said:

the only user information you should store in a session variable is the user id. you should query on each page request to get any other user related data, which you would store in a general program variable/object, named as to the meaning of the data. the reason for doing this is so that any changes to the values will take place immediately (on the next page request.) by storing the values in session variables, they will only reflect any changes when someone logs in again. once you retrieve the user related data from wherever it is persistently stored, you would use it for determining both what the user can do and what the user can see on each page.

what makes you think that? do you have code on your site that allows users to create or edit php program variables?

Thank you for this help.

I have amended how everything works so that there as a prepared querey on each page that checks per page load - make sense.

I do not have any code that allows people to edit php and have been careful to try and use prepared stmts everywhere.

Thanks Again

[Psycho]

Even session data can be "hacked". Everything can be "hacked" it is just a matter of how difficult it is. The amount of effort and safeguards you put in place should be directly proportional to the "value" or "risk" associated with the data being secured. Unless you are dealing with financial or sensitive PII data, I think using a session value as @mac_gyver stated is perfectly acceptable. Although you should at least read the manual regarding sessions to take the basic precautions.