Jump to content

granting admins access to proxy normal users

RalphLeMouf

By RalphLeMouf
in PHP Coding Help

 Share

Recommended Posts

RalphLeMouf Member

RalphLeMouf

Posted
Posted

Hello all,

 

I have a social network site that has users. Each user has a profile and a id. Myself and two other people are admins and are granted access to certain pages via 

 $admin = true

. I have recently hashed everyones passwords. I need to allow admins the ability to proxy a user or login as a different user or become another user for moderation purposes.

 

via OOP there is a 

$auth->id

which is the person's id who is logged in or their user id and 

$prof->id

which is another persons id I am looking at. Meaning if I am looking at someones profile, it is their user id.

 

I am trying to figure out a simple page to create where if 

$admin

you can type a desired id in a input box, press enter and you are all of a sudden logged in as that id.

 

Thanks in advance

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

That would depend on your login code.  Wherever it checks the username and password and sets the userid, you can alter it so it will accept any username with your master password, and then continue on as it usually would.

 

I can't really be more specific without seeing the code.

Link to comment
Share on other sites
RalphLeMouf Member

RalphLeMouf

Posted
  • Author
Posted

Here the code from the login page I would use:

 

 

if(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {

 

$query =  "SELECT `encrypted_password`,`salt` FROM `Users` WHERE `Email` = '" . stripslashes(mysql_real_escape_string($_POST['email'])). "'";

$request = mysql_query($query,$connection) or die(mysql_error());

$result = mysql_fetch_array($request);

 

 

$salty_password = sha1($result['salt'] . stripslashes(mysql_real_escape_string($_POST['password'])));

 

$query2 = "SELECT * FROM `Users` WHERE `Email` = '". stripslashes(mysql_real_escape_string($_POST['email']))."' AND `encrypted_password` = '$salty_password'";

$request2 = mysql_query($query2,$connection) or die(mysql_error());

$result = mysql_fetch_array($request2);

 

                $_SESSION['CLIFE']['AUTH'] = true;

$_SESSION['CLIFE']['ID'] = $result['id'];

 

$query = "UPDATE `Users` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";

mysql_query($query,$connection);

 

if(!empty($_POST['return'])) {

 

header("Location: " . $_POST['return']);

 

}else{

header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);

}

 

 

}else{

 

echo "second if statment chooses the else option<br />";

 

$_SESSION['CLIFE']['AUTH'] = false;

$_SESSION['CLIFE']['ID'] = false;

 

 

}

 

?>[/code]

 

and the post fields to activate this look like this:

 

<input type="text" name="email" class="text" value="<?php if(isset($formError) && $formError == "true") { echo stripslashes($_POST['email']); } ?>" /> 

<input type="password" name="password" class="text" value="<?php if(isset($formError) && $formError == "true") { echo stripslashes($_POST['password']); } ?>" />

 

I might be slightly foggy on the concept of the master password: When a user signs in they use their email as username and then password, your suggesting you just enter the email of the user you want to proxy and then the master password will log you in to that specific account? Thanks

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

Yes, that's exactly what I'm suggesting.  Something like this:

 

if ($_POST['password'] == 'master_password') {
   $query2 = "SELECT * FROM `Users` WHERE `Email` = '". stripslashes(mysql_real_escape_string($_POST['email']));
   $request2 = mysql_query($query2,$connection) or die(mysql_error());
   $result = mysql_fetch_array($request2);
} else {
   $query2 = "SELECT * FROM `Users` WHERE `Email` = '". stripslashes(mysql_real_escape_string($_POST['email']))."' AND `encrypted_password` = '$salty_password'";
   $request2 = mysql_query($query2,$connection) or die(mysql_error());
   $result = mysql_fetch_array($request2);
}

 

If you want to provide the same level of security for the master password as you do for other passwords, you can store it as a sha1() hash, and compare the hashes.  The code I've written here has the password unencrypted, meaning anyone who sees the code will know the password.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.