[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Robin Cornelius wrote: > Anton Channing wrote: > >> I second the calculating the admin privileges on >> the server side. If you've got the userid, you >> should already know everything you need to know >> about that user. > >> You will have to write a function called isadmin() >> that takes the parameter $userid and returns a >> boolean depending on their privileges, but this >> is much more useful than trying to pass the admin >> state in a cookie, and can also be used to add >> special admin content to non-admin pages. > > Hi, > > Can i ask you to explain a bit more. I'm getting confused :-) > > My original idea was to set the session cookies from a process_login.php > script that looked up the user password etc from the database then set > the session cookies accordingly. > > If i create a isadmin() function as described this has to do a DB query > every page change to verify if the admin menu options should be > displayed. This seems a bit wasteful. Not every page change, only admin pages. It should be a very quick query, and since only admins should ever be calling it, it shouldn't happen very often. > I can currently on any page just test the usertype cookie and if set > show additional content with > > if($_SESSION['usertype']=="Administrator") { > // Show lots of extra content. > } But what if you've revoked the users admin privileges in the mean time? They will still have an active cookie. Your method is insecure. Unless you check permissions every page load, you don't know if they are up to date. What if a banned ex-admin has kept a session open? Unlikely scenario, but it pays to think about these things in advance. Good practice pays. I once explained to non technical boss why I was separating the php from the html and using separate css pages. I explained that if the college ever decided to change its name or logo, it would be easy to do. I said "I know its unlikely..." to which he replied, "Well you say that but..." As you maybe aware, Plymouth College of Further Education rebranded itself as City College Plymouth back in January. I was very thankful all I had to do was alter one style sheet, one logo graphic, and one html template. Okay, different scenario but it still pays to do it the correct way to start with. > or add a check at the start of the page to > prevent any access to that page. > > Thanks, Even if you do stick with session variables, you should probably set them into standard variables first and then use standard variables in your code. This will improve efficiency and make you code look neater. Anton -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html