[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PHP Session problems

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] PHP Session problems
From: Anton Channing <achanning@xxxxxxxxxxxxxxxxx>
Date: Thu, 10 May 2007 23:13:43 +0100

Robin Cornelius wrote:
> Anton Channing wrote:
> 
>> I second the calculating the admin privileges on
>> the server side.  If you've got the userid, you
>> should already know everything you need to know
>> about that user.
> 
>> You will have to write a function called isadmin()
>> that takes the parameter $userid and returns a
>> boolean depending on their privileges, but this
>> is much more useful than trying to pass the admin
>> state in a cookie, and can also be used to add
>> special admin content to non-admin pages.
> 
> Hi,
> 
> Can i ask you to explain a bit more. I'm getting confused :-)
> 
> My original idea was to set the session cookies from a process_login.php
> script that looked up the user password etc from the database then set
> the session cookies accordingly.
> 
> If i create a isadmin() function as described this has to do a DB query
> every page change to verify if the admin menu options should be
> displayed. This seems a bit wasteful.

Not every page change, only admin pages.  It
should be a very quick query, and since only
admins should ever be calling it, it shouldn't
happen very often.

> I can currently on any page just test the usertype cookie and if set
> show additional content with
> 
> if($_SESSION['usertype']=="Administrator") {
>       // Show lots of extra content.
> }

But what if you've revoked the users admin
privileges in the mean time?  They will still
have an active cookie.  Your method is
insecure.

Unless you check permissions every page load,
you don't know if they are up to date.

What if a banned ex-admin has kept a session
open?  Unlikely scenario, but it pays to think
about these things in advance.

Good practice pays.  I once explained to
non technical boss why I was separating
the php from the html and using separate
css pages.  I explained that if the college
ever decided to change its name or logo,
it would be easy to do.  I said "I know its
unlikely..." to which he replied, "Well you
say that but..."

As you maybe aware, Plymouth College of
Further Education rebranded itself as
City College Plymouth back in January.
I was very thankful all I had to do was
alter one style sheet, one logo graphic,
and one html template.  Okay, different
scenario but it still pays to do it the
correct way to start with.

> or add a check at the start of the page to 
 > prevent any access to that page.
> 
> Thanks,

Even if you do stick with session variables,
you should probably set them into standard
variables first and then use standard variables
in your code.  This will improve efficiency
and make you code look neater.

Anton

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

Follow-up: Re: [LUG] PHP Session problems
- From: James Fidell

References:
- [LUG] PHP Session problems
  - From: Robin Cornelius
- Re: [LUG] PHP Session problems
  - From: Neil Williams
- Re: [LUG] PHP Session problems
  - From: Anton Channing
- Re: [LUG] PHP Session problems
  - From: Robin Cornelius

Prev by Date: [LUG] Ubuntu + Cisco Aironet 340 = Problems
Next by Date: Re: [LUG] Are we too technical for our own good ?
Previous by thread: Re: [LUG] PHP Session problems
Next by thread: Re: [LUG] PHP Session problems
Index(es):
- Date
- Thread