[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PHP Session problems

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] PHP Session problems
From: Neil Williams <linux@xxxxxxxxxxxxxx>
Date: Thu, 10 May 2007 21:06:29 +0100

On Thu, 10 May 2007 20:55:46 +0100
"Robin Cornelius" <robin.cornelius@xxxxxxxxx> wrote:

> Having a problem with php and sessions, got them basicly working. Got
> a login page that checks login against sql database and records the
> session id there, ANd basic login works fine. Some logins have
> administrative rights and this I have messed up. When i check the
> login I set an extra php session variable to indicate admin rights but
> this just vanishes after a few page clicks,

I suspect that the extra authentication variable is not being read from
the session cookie and is therefore not being reset when the session
cookie is written back.

> What i do is at the start of evey page is check the variables to see
> if the user is allowed to view that page.

My first thought is that only some of the variables are being read.

> This is the check that is vanishing on an admin pages :-
>
> <?php
>
>  session_start();
>
>  if($_SESSION['usertype']!="Administrator")
>  {
>         header("Location:http://www.ukmagsoc.org.uk/html/login/index.php?error=
> 3");
>   }
>
> ?>
>
> the usertype variable just vanishes after a couple of clicks around the site.

It may be counter-intuitive but by not reading usertype but only
reading userid, you may be causing the loss of the usertype data. Can
you not calculate usertype from userid?

>
> On other other pages we have :-
>
>
> session_start();
>
>   if(!isset($_SESSION['userid']))
>   {
>     header("Location:../login/index.php?error=2");
>   }

Even if this page has no content relevant to the administrator, it
still needs to check the variable so that it is in scope for the next
operation using the cookie.

> which never fails to work and stays active until logout.

Because it's in every page that uses the cookie.

At least, that would be the first thing I would implement as a
testcase. That and trying to calculate usertype from userid by some
server-only method, maybe in the database.

--

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

Attachment: pgpW4w5nXeL0I.pgp
Description: PGP signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

Follow-up: Re: [LUG] PHP Session problems
- From: Robin Cornelius
Follow-up: Re: [LUG] PHP Session problems
- From: Anton Channing

References:
- [LUG] PHP Session problems
  - From: Robin Cornelius

Prev by Date: [LUG] PHP Session problems
Next by Date: Re: [LUG] Are we too technical for our own good ?
Previous by thread: [LUG] PHP Session problems
Next by thread: Re: [LUG] PHP Session problems
Index(es):
- Date
- Thread