Page 1 of 1

PHP Access Level Control ( Permissions) Help

Posted: Thu Dec 09, 2010 2:12 am
by mumba
Hi everyone, am developing an application that has two views 1 for administrator and 1 for staff. Administrator can perform all application tasks and Staff can ONLY perform certain task. I have implemented sessions quite alright and are working. Now the problem is that when I login as Staff and then I change the URL to point to an administrator's page the application is allowing that, How can I prevent that from happening. Staff MUST NOT see administrators pages. Here is my login code, logout code and code am using to protect webpages below.

Here is my login code

Code: Select all

<?php

 //start the session 
 session_start();

$username=$_POST['username'];
$password=$_POST['password']; 

$encrypted=md5($password);

// set connection to database

$hostname="localhost"; // Host name
$mysql_server_username="root"; // Mysql username
$server_password=""; // Mysql password
$db_name="db_inventory"; // Database name
$table = "tbl_users";      // Table name

// Connect to server and select database.
mysql_connect("$hostname", "$mysql_server_username", "$server_password")or die("cannot connect to database server");
mysql_select_db("$db_name") or die ("Couldn't select the database."); 

$admin=("select * from $table where username='$username' AND password='$encrypted' AND type = 'admin'");
$staff=("select * from $table where username='$username' AND password='$encrypted' AND type = 'staff'");

//check that at least one row was returned
$adminresult=mysql_query($admin);
$admincount = mysql_num_rows($adminresult);

$staffresult=mysql_query($staff);
$staffcount = mysql_num_rows($staffresult);

if($admincount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: main_menu.php" );
}
else if($staffcount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: staff/main_menu.php" );
}
else
{

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>title> | Login</title>
</head>

<body bgcolor="#FFFFFF"  background-repeat:no-repeat; background="images/images1.jpg">
<div align="center">
  <table width="800" height="501" border="0" cellpadding="1" cellspacing="1">
    <tr>
      <td height="100">&nbsp;</td>
    </tr>
    <tr>
      <td height="350">
      <div align="center">
      <form method="post" action="login_process.php">
        <h4 align="center"><font color="red">Incorrect Username / Password ! Please Try Again</font></h4>
          <img name="" src=images/padlock_closed.gif width="34" height="32" alt="" /><br /><br />
          <table width="314" border="0" cellspacing="1" cellpadding="1">
            <tr>
              <td>Username:</td>
              <td><label>
                <input type="text" name="username"  />
              </label></td>
            </tr>
            <tr>
              <td>Password:</td>
              <td><label>
                <input type="password" name="password" />
              </label></td>
            </tr>
            <tr>
              <td colspan="2">
              <p>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
                  <input type="submit" name ="submit" value="Login" />&nbsp; &nbsp; &nbsp;<input type="reset" value="Reset" />                
              </p>
              </td>
            </tr>
          </table>      
      </form>
       </div>
       </td>
    </tr>
    <tr>
      <td height="100">&nbsp;</td>
    </tr>
  </table>
</div>
</body>
</html>

<?php

}
?> 

Here is my login out code

Code: Select all

<?php
//start the session
session_start();

//check to make sure the session variable is registered
if(isset($_SESSION['valid_user'])){

//session variable is registered, the user is ready to logout
session_unset();
session_destroy();

//the session variable isn't registered, the user shouldn't even be on this page
header( "Location: index.php" );
}
else
{
//check to see if the session variable is not registered
if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
} 
}
?>

Here is code I am using to protect pages

<?php
//start the session
session_start();
//check to make sure the session variable is registered

if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> | Main Menu</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>

<body>

<div id="tabsF">
<ul>
<!-- CSS Tabs -->
<li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li>
<li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li>
<li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li>
<li><a href="logout.php"><span>LOGOUT</span></a></li>

</ul>
</div>
</body>
</html>


Thank you.

Re: PHP Access Level Control ( Permissions) Help

Posted: Thu Dec 09, 2010 3:19 am
by social_experiment

Code: Select all

<?php if(!isset($_SESSION['valid_user']) ?>
On your protection page you are only checking if a session name 'valid_user' is set. When you login you set only this variable

Code: Select all

<?php
if($admincount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: main_menu.php" );
}
else if($staffcount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: staff/main_menu.php" );
}
?>
How does the script differentiate between admin and staff? Set a value like $_SESSION['admin_user'] when the administrator is logged in and a similar value (not admin_user) for staff. Your checking code (protection page) will have to be modified to check for these additional settings.

Re: PHP Access Level Control ( Permissions) Help

Posted: Fri Dec 17, 2010 4:56 pm
by mumba
hi when i code like this on the login process it fails to work proper
login code segment
<code>
if($admincount> 0){
$_SESSION['valid_user'] = $username ;
$_SESSION['admin_access'] = 2;
header( "Location: main_menu.php" );
}
else if($staffcount> 0){
$_SESSION['valid_user'] = $username ;
$_SESSION['non_admin_access'] = 1;
header( "Location: staff/main_menu.php" );
}
</code>

Page protection code

<code>
<?php
//start the session
session_start();
//check to make sure the session variable is registered

if(!isset($_SESSION['valid_user']) and !isset($_SESSION['admin_access'])){
?>
<script>
alert("You Do Not Have Sufficient Preveliges To Access This Page. Admin ONLY");
</script>
<?php
//redirect to login page
header( "Location: index.php" );
}
?>
</code>

Logout code

<code>
<?php
//start the session
session_start();

//check to make sure the session variable is registered
if(isset($_SESSION['valid_user']) && isset($_SESSION['admin_access'])){

//session variable is registered, the user is ready to logout
session_unset();
session_destroy();

//the session variable isn't registered, the user shouldn't even be on this page
header( "Location: index.php" );
}
else
{
//check to see if the session variable is not registered
if(!isset($_SESSION['valid_user']) && !isset($_SESSION['admin_access'])){
//redirect to login page
header( "Location: index.php" );
}
}
?>

Thats the way I have code the changes but still not working fine

</code>

Re: PHP Access Level Control ( Permissions) Help

Posted: Sat Dec 18, 2010 5:06 am
by social_experiment
Instead of setting 2 session variables, $_SESSION['admin_access'] & $_SESSION['non_admin_access'] set a single generic variable. If you set $_SESSION['user_level'] for example, you can set it to a numeric value on login of the specific type of user, say 1 for admin and 2 for non-admins. Now your code will be simpler

Code: Select all

<?php
 // at this point the user is definitely logged in
 switch($_SESSION['user_level']) {
 case 1:
 // this means an admin is logged in
 header("redirect: admin_index.php");
 break;
 case 2:
 // this is a non-admin
 header("redirect: normal_index.php");
 break;
 // non other value is valid
 default:
 header("redirect: bad_user.php");
 }
?>
Once you have redirected the user to their type of page the authentication shouldn't be if the user is admin or non-admin but rather to see if they are authenticated by username and password because non-admin pages won't have similar functions as the administrator pages. To go about this you can write the value ($_SESSION['user_level']) to the database and check that as well, along with being authorizes (if you want that additional bit of peace of mind).

When a user has been logged in it is a good idea to regenerate the session id before redirecting them to the page where they should be.

Code: Select all

<?php
 if($admincount> 0){
 $_SESSION['valid_user'] = $username ;
 $_SESSION['admin_access'] = 2;
 // regenerate session id after login is authenticated
 session_regenerate_id();
 header( "Location: main_menu.php" );
 }

?>