Forum Moderators: coopster
If I go to my main site and login and then in the address bar type: /admin at the end of my site it logs me into the admin site without making me log in with my admin credentials.
I have one database table with fields of: username, password, and type. I am using the type field to hold what type of account it is (user or admin).
What I can't figure out is how to have my site check to see if the account type is an admin account before allowing me to access the admin section of the site.
I am willing to post any code you may need, i'm just not sure what you would need to see?
Any help would be greatly appreciated.
[google.com...]
[edited by: eelixduppy at 2:19 am (utc) on Aug. 5, 2009]
When a person logs in to your site, AFTER you validate the user information and verify it... add this code into your code:
<?php
session_start();
$_SESSION['username'] = $users_user_name_here;
$_SESSION['type'] = $users_role_or_level_here;
session_write_close();
/*I would avoid adding the password into the session; it is a potential security pitfall, and really doesn't serve a purpose once the user is already validated. (if you need the password, I'd recommend querying the DB to get it)*/
?>
Then, in your ADMIN pages, at the very top of the script, add the following code...
<?php
if ($_SESSION['type']!=="admin")
{
/*Here, you need to STOP the visitor and force them to login to your site, because they are either not logged in or are not an admin. In the above, change 'admin' to whatever you specify your 'type' as (admin, administrator, Administrator, etc).*/
$loginpage = "/login.php";
header("Location: {$loginpage}");
/*This first method (directly above) simply redirects the users browser to your login page. Or you could do this...*/
forceLogin();
/*And you then define the function to "force" your login as you see fit; either redirecting to the login page; directly including the login page; building out the login page; etc. Be sure to specify "exit();" at the end of this function (if you go this route) to stop PHP from processing.*/
}
?>
This is all very simplified. If you want a reasonably SECURE login, consider the following:
Add a field to your DB such as "session", and "ipaddress". Store passwords in your DB as encrypted form (something as simple as using 'md5()' is usually decent enough).
When a user logs in, after you validate their credentials... store their IP into the DB. Create a random "token"... store it in your session somewhere ($_SESSION['token'] = $token;) and put this value in your DB as well (in 'session' field).
Then, on every page that requires authentication, call a function (such as 'authenticateUser();', etc). In this function, grab your "token" from sessions. Query your DB to find this user data. Verify the tokens match and IPs match. No need to keep re-checking user/pass. Use common sense as well; if the token is missing from sessions or DB, force a login. Make sure created tokens are unique. Etc. Etc.
And when someone wants to logout, create a function to clear the 'token' field for the user in the DB and destroy the session.
There are many approaches and specifics... best of luck!
[edited by: eelixduppy at 11:53 pm (utc) on Aug. 5, 2009]
[edit reason] disabled smileys [/edit]
