[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Neil Williams wrote:
> On Thu, 10 May 2007 20:55:46 +0100
>> On other other pages we have :-
>> session_start();
>>
>> if(!isset($_SESSION['userid']))
>> {
>> header("Location:../login/index.php?error=2");
>> }
> Even if this page has no content relevant to the administrator, it
> still needs to check the variable so that it is in scope for the next
> operation using the cookie.
>
>> which never fails to work and stays active until logout.
>
> Because it's in every page that uses the cookie.
>
> At least, that would be the first thing I would implement as a
> testcase. That and trying to calculate usertype from userid by some
> server-only method, maybe in the database.
I second the calculating the admin privileges on
the server side. If you've got the userid, you
should already know everything you need to know
about that user.
Your code for an admin page would then probably
look something like:
if(isset($_SESSION['userid']))
{
$userid = $_SESSION['userid'];
if(!isadmin($userid))
{
header("Location:../login/index.php?error=3");
}
}
else
{
header("Location:../login/index.php?error=2");
}
You will have to write a function called isadmin()
that takes the parameter $userid and returns a
boolean depending on their privileges, but this
is much more useful than trying to pass the admin
state in a cookie, and can also be used to add
special admin content to non-admin pages.
Anton
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html