Creating sessions to give permissions to different users

Hi,

I have a login and register page along with sessions that is working fine, here is a small snippet of the php once a user sucessfully logs in:

if(mysql_num_rows($validate_user_information) == 1)
{
$get_user_information = mysql_fetch_array($validate_user_information);
$_SESSION[“VALID_USER_ID”] = $user_email;
$_SESSION[“USER_FULLNAME”] = strip_tags($get_user_information[“firstname”].’ ‘.$get_user_information[“lastname”]);
echo ‘Index.php?uid=’.$_SESSION[“USER_FULLNAME”].’&’;
echo ‘login_process_completed_successfully=yes’;
}
else
{
echo ‘

Incorrect email or password. Please enter correct user information to proceed.

’;
}

What i would like to know is if say make a new column in my users table called admin being either true or false.

How can i only let users access certain pages if they are admins?

This is how my site currently work with this php at the top of standard pages:

<?php session_start(); ob_start(); $valid_user_id = trim($_SESSION["VALID_USER_ID"]); if(isset($_SESSION["VALID_USER_ID"]) && !empty($valid_user_id)) { ?>

CONTENT GOES HERE

}
else
{
//Send every user who tries to access this page directly without valid session to the login page.
//The login page is the door that every user needs to pass to this page
header(“location: login.php”);
}
?>

Can anyone give a tip on how to write it so on a page only admin can view it?

Thanks

I have to first say you shouldn’t be using mysql_ statement for they are obsolete; instead you should be using mysqli_ or PDO (My recommendation) statements.

What I do is have a column that I use as a security level that I label as security_level, it can be an enum type or a varchar. Some people frown upon enum types for it is fixed. However you go about it then you can have different security_levels, for example sysop, member, and public.

Then in your configuration file you can put something like this:

[php]$user = isset($_SESSION[‘user’]) ? $_SESSION[‘user’] : NULL;[/php]

Then when the user logins in I do this (I know this isn’t what you’re going to do, but it will give a good idea how to do it) -
[php] public function read(array $data = NULL) {
/* Setup the Query for reading in login data from database table */
$this->query = ‘SELECT id, username, password, security_level, first_name, last_name, email, home_phone, cell_phone, gender, birthday FROM users WHERE username=:username’;

    try {
        $this->stmt = $this->pdo->prepare($this->query); // Prepare the query:
        $this->stmt->execute([':username' => $data['username']]); // Execute the query with the supplied user's parameter(s):
    } catch (Exception $ex) {
        die("Failed to run query: " . $ex->getMessage()); // Do Not Use in Production Website - Log error or email error to admin:
    }

    $this->stmt->setFetchMode(PDO::FETCH_OBJ);
    $this->user = $this->stmt->fetch();

    if ($this->user) {
        $this->loginStatus = password_verify($data['password'], $this->user->password); // Check the user's entry to the stored password:
        unset($data['password'], $this->user->password); // Password(s) not needed then unset the password(s)!:
    } else {
        return FALSE;
    }

    if ($this->loginStatus) {
        $_SESSION['user'] = $this->user; // Set the session variable of user:
        return TRUE;
    } else {
        return FALSE;
    }
}[/php]

Then if you want to only have a administrator page you can simply do this at the top of that page, for example:
[php]if ($user && $user->security_level !== ‘sysop’) {
header(“Location: index.php”);
exit();
}[/php]

The most important thing to remember session_start(); must be started before anything else and like I said the example I gave you is just to show you the flow of things. I would recommend that you use arrays instead of obects - if ($user && $user[‘security_level’] === “member”) for example. People here will be glad to help you on mysqli_ or PDO. HTH John

Thanks Strider64, I always forget to UNSET the password when done. That reminds me to add it to my
to-do list I am making up for site setups…

Now, IcantSession, after rereading your post, it comes to me that you might not understand how to show
or hide parts of your HTML depending on user-level settings. So, if you want to hide parts of your HTML
from a non-admin level, you simply do it something like this in the middle of your HTML:
[php]

<?PHP if ($user && $user->security_level == 'sysop') { ?>

… some HTML …

You are an ADMIN...

whatever you need for the admin to see that other members do not see... <?PHP } ?> [/php] You can place this code in different areas where you want extra info to be show to just the ADMIN's...
Sponsor our Newsletter | Privacy Policy | Terms of Service