I have a php login page with session control. It routes a normal user to info.php and an admin user to info_admin.php. If I login with a "normal" user it goes to info.php, however, in the address bar, I can go to info_admin.php and it doesn't kick me out, gives me access. How can I control this or prevent the user from doing this manually?
For info, I'm using this script: http://php-login-script.com/
Thanks very much!
I quickly scanned through the login code, it seems to be setting a variable $_SESSION['user_level'] when the user first logs in.
To allow only user with level 2, for example, put this at the top of your page. It should redirect anyone who is not a level 2 user back to the login page.
<?php
if (isset($_SESSION['user_level'] && $_SESSION['user_level'] == 2) {
?>
<!-- Your page HTML here -->
<?php
} else {
header('Location: login.php');
}
?>
The high level approach is that upon login, store the user's access level in the session or in a database. At each page call, check against that value.
Just add an extra function that checks user level--if it's at or above the desired level, return true. If not, return false and failover. Then in your page you want to protect, fire the function with the desired level of protection.
For instance:
function checkPerms($level) {
if ($level >= number) {
return true
} else {
failover here
}
}
then call in your pages
checkperms(5);
EDIT: If you were really slick, you could just add an extra param to your original function call with the user level, defaulted to the lowest value. Then, if the user validates as registered, it could check the user level at the same time.
Just to make Lotus Notes' code a bit more compact:
<?php
if (!isset($_SESSION['user_level']) || ($_SESSION['user_level'] != 2)) {
header('Location: login.php');
exit;
}
?>
<!-- Your page HTML here -->