SkyRanger Posted April 30, 2007 Share Posted April 30, 2007 I currently have a log in script that works almost the way I want it too, but I would like to be able to also secure certain pages by access level and was wondering if there is away to do it with the script I have. Here is what I have already: Top of page: if($session->logged_in){ $loggedin = $session->username; bottom of page: } else { header("Location: ../index.php"); } The cell with the accesslevel is users.accesslevel with levels 1 - 9 I would like different pages to have multiple access ie: 1 - 3 4 - 5 5 - 9 Link to comment https://forums.phpfreaks.com/topic/49322-solved-secure-by-access-level/ Share on other sites More sharing options...
trq Posted April 30, 2007 Share Posted April 30, 2007 You rcode doesn't really explain much so I'll just give an example. whe a user logs in, retrieve there access level from the database and store it in a $_SESSION var. $_SESSION['level']. Then, to run the check, simply use an if statement. eg; <?php if ($_SESSION['level'] >= 1 && $_SESSION['level'] <= 3) { // show page. } else { // user level denied. } ?> Link to comment https://forums.phpfreaks.com/topic/49322-solved-secure-by-access-level/#findComment-241700 Share on other sites More sharing options...
SkyRanger Posted April 30, 2007 Author Share Posted April 30, 2007 Sorry thorpe, yeah I should have explained what the code was that I posted: This is the code to see if the user is logged in, if they logged in successfully then it shows the page, if they did not log in successfully then it kicks them to the bottom of the page and redirects them back to the index page for reloggin. include "../include/session.php"; if($session->logged_in){ $loggedin = $session->username; bottom of page: } else { header("Location: ../index.php"); } Here is my sessions.php page. I tried putting in your code but it just kicks me back to the main page. class Session { var $username; //Username given on sign-up var $userid; //Random value generated on current login var $userlevel; //The level to which the user pertains var $time; //Time user was last active (page loaded) var $logged_in; //True if user is logged in, false otherwise var $userinfo = array(); //The array holding all user info var $url; //The page url current being viewed var $referrer; //Last recorded site page viewed /** * Note: referrer should really only be considered the actual * page referrer in process.php, any other time it may be * inaccurate. */ /* Class constructor */ function Session(){ $this->time = time(); $this->startSession(); } /** * startSession - Performs all the actions necessary to * initialize this session object. Tries to determine if the * the user has logged in already, and sets the variables * accordingly. Also takes advantage of this page load to * update the active visitors tables. */ function startSession(){ global $database; //The database connection session_start(); //Tell PHP to start the session /* Determine if user is logged in */ $this->logged_in = $this->checkLogin(); /** * Set guest value to users not logged in, and update * active guests table accordingly. */ if(!$this->logged_in){ $this->username = $_SESSION['username'] = GUEST_NAME; $this->userlevel = GUEST_LEVEL; $database->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time); } /* Update users last active timestamp */ else{ $database->addActiveUser($this->username, $this->time); } /* Remove inactive visitors from database */ $database->removeInactiveUsers(); $database->removeInactiveGuests(); /* Set referrer page */ if(isset($_SESSION['url'])){ $this->referrer = $_SESSION['url']; }else{ $this->referrer = "/"; } /* Set current url */ $this->url = $_SESSION['url'] = $_SERVER['PHP_SELF']; } /** * checkLogin - Checks if the user has already previously * logged in, and a session with the user has already been * established. Also checks to see if user has been remembered. * If so, the database is queried to make sure of the user's * authenticity. Returns true if the user has logged in. */ function checkLogin(){ global $database; //The database connection /* Check if user has been remembered */ if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])){ $this->username = $_SESSION['username'] = $_COOKIE['cookname']; $this->userid = $_SESSION['userid'] = $_COOKIE['cookid']; } /* Username and userid have been set and not guest */ if(isset($_SESSION['username']) && isset($_SESSION['userid']) && $_SESSION['username'] != GUEST_NAME){ /* Confirm that username and userid are valid */ if($database->confirmUserID($_SESSION['username'], $_SESSION['userid']) != 0){ /* Variables are incorrect, user not logged in */ unset($_SESSION['username']); unset($_SESSION['userid']); return false; } /* User is logged in, set class variables */ $this->userinfo = $database->getUserInfo($_SESSION['username']); $this->username = $this->userinfo['username']; $this->userid = $this->userinfo['userid']; $this->userlevel = $this->userinfo['userlevel']; return true; } /* User not logged in */ else{ return false; } } /** * login - The user has submitted his username and password * through the login form, this function checks the authenticity * of that information in the database and creates the session. * Effectively logging in the user if all goes well. */ function login($subuser, $subpass, $subremember){ global $database, $form; //The database and form object /* Username error checking */ $field = "user"; //Use field name for username if(!$subuser || strlen($subuser = trim($subuser)) == 0){ $form->setError($field, "* Username not entered"); } else{ /* Check if username is not alphanumeric */ if(!eregi("^([0-9a-z])*$", $subuser)){ $form->setError($field, "* Username not alphanumeric"); } } /* Password error checking */ $field = "pass"; //Use field name for password if(!$subpass){ $form->setError($field, "* Password not entered"); } /* Return if form errors exist */ if($form->num_errors > 0){ return false; } /* Checks that username is in database and password is correct */ $subuser = stripslashes($subuser); $result = $database->confirmUserPass($subuser, md5($subpass)); /* Check error codes */ if($result == 1){ $field = "user"; $form->setError($field, "* Username not found"); } else if($result == 2){ $field = "pass"; $form->setError($field, "* Invalid password"); } /* Return if form errors exist */ if($form->num_errors > 0){ return false; } /* Username and password correct, register session variables */ $this->userinfo = $database->getUserInfo($subuser); $this->username = $_SESSION['username'] = $this->userinfo['username']; $this->userid = $_SESSION['userid'] = $this->generateRandID(); $this->userlevel = $this->userinfo['userlevel']; /* Insert userid into database and update active users table */ $database->updateUserField($this->username, "userid", $this->userid); $database->addActiveUser($this->username, $this->time); $database->removeActiveGuest($_SERVER['REMOTE_ADDR']); /** * This is the cool part: the user has requested that we remember that * he's logged in, so we set two cookies. One to hold his username, * and one to hold his random value userid. It expires by the time * specified in constants.php. Now, next time he comes to our site, we will * log him in automatically, but only if he didn't log out before he left. */ if($subremember){ setcookie("cookname", $this->username, time()+COOKIE_EXPIRE, COOKIE_PATH); setcookie("cookid", $this->userid, time()+COOKIE_EXPIRE, COOKIE_PATH); } /* Login completed successfully */ return true; } Link to comment https://forums.phpfreaks.com/topic/49322-solved-secure-by-access-level/#findComment-241713 Share on other sites More sharing options...
SkyRanger Posted April 30, 2007 Author Share Posted April 30, 2007 Ok, I think I got it, but don't want to implement into my whole site, but will this code work, I tested it on 1 page and it seemed to work: if($session->logged_in) if($session-> userlevel >= 4 && $session-> userlevel <= 9) { secured code here } else { echo " You are not authorized to see this page"; } Link to comment https://forums.phpfreaks.com/topic/49322-solved-secure-by-access-level/#findComment-241739 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.