Somk
Reputation: 12047
Is this safe to use. User level management
I use the below code on all my pages after initialising the SESSION data and defining the variable $auth_level.
I use this to decide what to show users of varying levels.
<?php
if($auth_level == 'basic'){
// auth_level basic
if (!isset($_SESSION['username'])) {
header('Location: login.php');
}
} else if ($auth_level == 'admin'){
// auth level admin
if (!isset($_SESSION['username']) || $_SESSION['role'] != 2) {
header('Location: login.php');
}
} else {
// auth level admin assumed for security
if (!isset($_SESSION['username']) || $_SESSION['role'] != 2) {
header('Location: login.php');
}
}
?>
Upvotes: 2
Views: 94
Answers (1)
Bartłomiej Wach
Reputation: 1986
This one might help:
https://stackoverflow.com/a/1225668/1437605
shortly speaking: you should store some more information in $_SESSION to distinguish clients(like ip etc.) as otherwise, I could obtain your cookie with your sessionId and that could authenticate properly depending on how you get the 'username' and 'role' values.
Upvotes: 1
Related Questions
- Is Joomla user management safe enough to handle potential data?
- Drupal 7: Using "global $user" secure?
- Is this PHP code dangerous?
- User Access Levels on PHP
- PHP security question
- User Object and Security
- Security Management?
- php: grabbing user info from database, is this code secure?
- Php security question