PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
The problem is that the page will display the content whether or not I have a "UserLever" cookie. Does any one have a suggestion as how I can prevent people from viewing a specific page based on a cookie. Basically My cookie just has a value of 0 for admin, 1 for registered users, and 3 for guests. Any help would be greatly appreciated.
Any chance you'd rethink using cookies for this and switch to sessions?
Just that ... well ... if I were a user and I happened to check the contents of my cookie, and I saw a setting 'userlevel' = 1. I'd probably be very tempted to change it to see what would happen.
Storing login credentials in cookie is, for the most part, a bad idea.
Thanks for the quick reply. You just answered my second question as well, which was going to be a question about preventing javaScript injection and cookie tampering. I'll adjust the code now and post an update.
Thanks again!
UPDATE:
ok, I think it worked, but im not 100% sure. When does the session variable get erased? Im testing this site localy using apache. I open my web-browser and type 'localhost' into the url. If go directly to my login.php page and try to type in the url of the page (/localhost/testPages/loggedIn.php) it doesnt let me in; yay!... However, after I logged in the first time I closed my browser, opened it again, and went back to the 'localhost' directory and typed the url of the page that shouldnt be accessible unless your logged in, but it let me in?? Is this normal?
I hope this explanation is understandable, im kind-of a new with this stuff. Basicly it works when im in the login.php page and try to type the url of the forbidden page. However, im worried because it will let me in when im in the root of my 'localhost' directory and type the url of the forbidden site. Why is this? does it matter or am I secure?