PHP SESSIONS Security

[M0n5terBunny]

Hello ,

 

i have 3 types of user accounts admins, moderators,users each with there own individual login page, and there own individual secured page with sessions security, but when i login through the user login page i can acces the admin secured page. so im asking if there is a way to make the secured pages only accessible to the correct users.

 

SELECT * FROM user WHERE (id = 1 ) , (username= ' " . mysql_real_escape_scrting($_POST ['username'])."') , (password=' " . mysql_real_escape_string(md5($_POST['password'])) ." ');

 

id would be the variable it looks for when checking sessions on each secured page like admin would be 1 moderators 2 and users 3

 

and if the id isnt correct to that page it would reject them and say wrong page or something along them lines

 

any ideas

 

cheers

[WebStyles]

users each with there own individual login page

why?

you should use just one login page, this will ensure that the session variables are overwritten when you login as a different type of user... I'm saying this because I'm guessing (I may be wrong) you have something like $_SESSION['admin'] = 'yes' when you login as an admin... and another one like $_SESSION['basicUser'] = 'yes' for your other login page... And I bet what happened there was you tested your login as admin, and it worked... then you tested logging in as another user, and since the first variable ($_SESSION['admin']) was not replaced, you still have access to your admin pages.... this is wrong. You should use $_SESSION['accountType'] = 'admin' (or 'basic' or 'moderator' or whatever)... this way when you login with another account, it will get replaced. Then all you need to do is check each page against that variable, so on admin pages you will have something like this at the top:

session_start();
if($_SESSION['accountType'] != 'admin'){
foreach($_SESSION as $k=>$v){
unset($_SESSION[$k]);
}
echo 'Permission denied. You have been logged out';
exit();
}

 

Just guessing.... put this on every page to check your session variables and find out what's wrong:

echo '<pre>';
print_r($_SESSION);

[M0n5terBunny]

kinda basically the reason why we have 4 logins is because there is 4 separate pages like accounts, hr, managers, customer consultants, administrators.

 

.

 

so if a user logs in through managers login page its sets there session to managers and then if they try and head to the accounts page it would say denied and logged out is that what your saying above.

 

that sets the session what shall i add to that to say this is a manager

 

// Check username and password match

if (mysql_num_rows($login) == 1) {

// Set username session variable

$_SESSION['username'] = $_POST['username'];

 

// Jump to secured page

header('Location: Administration/admin-securepage.php');

}

else {

// Jump to login page

header('Location: Login.html');

}

 

 

and this is the secured page how would i say check if the session is manager if not log out and say permission denied

 

// Inialize session

session_start();

 

// Check, if username session is NOT set then this page will jump to login page

 

if (!isset($_SESSION['username']))

{

header('Location: /New2/Login.html');

}

 

 

:S

 

[WebStyles]

you should have just one login page, and have the users flagged as 'user', 'admin', etc... in a database...

so you're login table would look something like:

 

id,userName,passWord,accountType

 

it's not good to have 4 different login pages, you can simply redirect them to the appropriate page after login, based on their accounType setting. This will make things easier to maintain.

 

The username WILL NOT help you restrict access unless you want to query the database every time a page is loaded or refreshed... Like I said before, I would use just ONE login page, and control all accesses and redirects based on accountType that can easily be stored in $_SESSION.

 

(to do things properly, you should have a table that defines specific permissions for each user... what If you wish to have a read-only manager? or an admin that can user all the admin pages except one of them? what if you want a specific basic user to be able to see just one of the manager pages ? etc...)

[M0n5terBunny]

session_start();

if($_SESSION['accountType'] != 'admin'){

foreach($_SESSION as $k=>$v){

unset($_SESSION[$k]);

}

echo 'Permission denied. You have been logged out';

exit();

}

 

just looking  at your code see what your getting at were are you getting the db connection from to check what account type it is ?

 

 

[WebStyles]

yes. On login you would store the accountType in a session variable and redirect based on that account type. That code I gave you basically unsets all session variables if a user tries to access a page he's not allowed to... it's just a very basic example.

 

Like I said, the best way would be to set up a 'proper' permissions system. This is the first think I analyze/do at the beginning of every project, and for me, The most important aspects of any project are: Access Control, Activity Logging (so you know exactly what was changed/accessed, when and by who), and History Tables (so you can rollback on unwanted changes if needed)...

 

If you're working on a project that has the need for 4 different account types, I'm guessing it's pretty big, so you should consider all of the above, plus a proper backup/replication system in case of hardware failure, hacking, etc...

[M0n5terBunny]

thank you

[M0n5terBunny]

how are you checking the account type from the sessions, isnt it supposed to connect to the db to check what accounty type is in the db column ?

[WebStyles]

As I said before, when someone logs in, you check the account type (once) and store it in a $_SESSION variable, to avoid database queries on every page load.