[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Neil Williams wrote: > On Thu, 10 May 2007 20:55:46 +0100 >> On other other pages we have :- >> session_start(); >> >> if(!isset($_SESSION['userid'])) >> { >> header("Location:../login/index.php?error=2"); >> } > Even if this page has no content relevant to the administrator, it > still needs to check the variable so that it is in scope for the next > operation using the cookie. > >> which never fails to work and stays active until logout. > > Because it's in every page that uses the cookie. > > At least, that would be the first thing I would implement as a > testcase. That and trying to calculate usertype from userid by some > server-only method, maybe in the database. I second the calculating the admin privileges on the server side. If you've got the userid, you should already know everything you need to know about that user. Your code for an admin page would then probably look something like: if(isset($_SESSION['userid'])) { $userid = $_SESSION['userid']; if(!isadmin($userid)) { header("Location:../login/index.php?error=3"); } } else { header("Location:../login/index.php?error=2"); } You will have to write a function called isadmin() that takes the parameter $userid and returns a boolean depending on their privileges, but this is much more useful than trying to pass the admin state in a cookie, and can also be used to add special admin content to non-admin pages. Anton -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html