Preventing non-admin from access

jackh · December 18, 2016, 8:14pm

Hi all,

I’m trying to get some code to prevent users who do not have the rights to the admin area from accessing it.
This is my session being set at login;
[php]
//start session
$_SESSION[‘firstName’] = $firstName;
$_SESSION[‘surname’] = $surname;
$_SESSION[‘username’] = $username;
$_SESSION[‘login’] = true;
$_SESSION[‘admin’] = $admin;
header(“Location: account.php”);
} else {
//redirect back to login form if not authorised
echo ‘Invalid username or password. You will be automatically redirected to login.’;
header(“refresh:5; url=login.php”);
exit;
[/php]

This is the admin page code;
[php]
session_start();

// if username is set, allow into admin area
if(!isset($_SESSION[‘admin’]) || !in_array($_SESSION[‘admin’], array(‘1’)))
{
//session is set, user is logged in
header(“Location: login.php”);
}
[/php]
I also tried;
[php]
// if admin is set, allow into admin area
if(isset($_SESSION[‘admin’])){
//session is set, user is logged in
}else{
// send to login page if not logged in
header(“Location: login.php”);

}
[/php]

If they are an admin user, I have an admin field in my database to store a 1 for admin and 0 for non-admin.
When I logged in with an admin account, I echoed the value and it does echo a 1.

Thanks,
Jack

Strider64 · December 18, 2016, 9:33pm

My advice never tell the user that his or her username or password is invalid. Just say invalid login, please re-enter. My reasoning is you never want to give a person that he/she is on the right track in getting some other user’s account. Just my .02 cents.

Besides a person could be a regular person and already be logged in? Probably making it all the more so? I’m confused are you letting a person who isn’t an administrator into the admin area?

jackh · December 18, 2016, 9:44pm

Hi Strider64,

If they login, it doesn’t tell them what is incorrect, it just says either is incorrect - I can soon change that.
So when a normal user is logged in their $_SESSION[‘admin’] will be equal to ‘0’.
When an admin is logged in their $_SESSION[‘admin’] will be equal to ‘1’.

I want the code to only allow those with a $_SESSION[‘admin’] of 1 into the admin area.

Please note - this isn’t for a live website. I understand that some code should be different and secure.

Thanks,
Jack

benanamen · December 18, 2016, 9:58pm

You dont need to set a session for non admins. Just set it if they are one and check if the session isset.

if admin{
set session is_admin
}

Check for it…

if (isset($_SESSION[‘is_admin’])){
// I am an admin. let me do stuff.
}

astonecipher · December 19, 2016, 1:44pm

I subscribe to the role based permissions, which removes the session settings. If role == manager I don’t need a new session statement, I just let the code role with what is allowable.

jackh · December 19, 2016, 2:38pm

Thanks [member=72272]astonecipher[/member] - I’m looking for a simple quick fix. I’m not sure how I would implement your strategy?

Thanks [member=46186]Kevin Rubio[/member] - I sort of understand your solution but I’m not sure how to put it in my code? Sorry for being a bit thick!

Thanks,
Jack

benanamen · December 19, 2016, 4:43pm

[member=72272]astonecipher[/member] 's suggestion is the way to go if you are going to have multiple roles/levels but if there is ever only going to be just an admin you don’t need that.

If you wrote the code you posted, you should have no problem doing what I showed. It is very basic.

jackh · December 19, 2016, 9:25pm

Managed to get it working - I hadn’t included the value in my query.

Thanks everyone!