-1

I'm building a website where there are 3 kinds of login pages for different type of users (ex. customers and salesmen). There are some pages that should be accessible only for specified users. If somebody tries to enter a specific page, I would like the script to check whether that person is allowed to do so.

The way I see it, I should create different session names at each login page and when somebody's trying to access a specific page, to check whether it's the right person in the right place.

I know that checking if ANY session exists can be done via

isset($_SESSION)

and I also found some information about session_name here: http://php.net/manual/en/function.session-name.php

but I don't seem to put those two things together. Could anybody suggest a solution? I've been learning PHP for 3 weeks, so please go easy on me.

oneday
  • 1,599
  • 5
  • 18
  • 29
  • 2
    `$_SESSION` is simple array, so `isset($_SESSION['name'])` – m1k1o Aug 18 '14 at 07:37
  • Cause of security reasons, I would not recommend to do it this way. The SESSION itself is a temporary identity for a user. You can use $_SESSION as a Array, which handles all data you like to store (temporary) to the current user. For example: $_SESSION['is_salesman'] = true; is set on every request. – mrcrgl Aug 18 '14 at 07:38
  • You have to read about ACL (Access Control List) http://stackoverflow.com/questions/4415663/implementing-acl-for-my-php-application – skmail Aug 18 '14 at 07:39
  • @M1K1O is this code correct: `session_name("mySession");` and then `isset($_SESSION['mySession'])` used in an IF statement? – oneday Aug 18 '14 at 07:45
  • 1
    I think you should better use `$_SESSION["hasPermission"] = true;` and then checking by IF statement. – m1k1o Aug 18 '14 at 07:48
  • @M1K1O could you send me a link to some more reading about sessions and permissions, how to set them and so on? I don't fully understand your idea and after some googling I don't really find a place to read about it. – oneday Aug 18 '14 at 08:08

1 Answers1

0

By registration you set to user permission 1 and 2 and save to database along with username and hashe pasword

| ID | Username |            Password Hash         | User Level |
| 1  |  User01  | t5ns4fdgn6sdn45d4t5zuk65fz6s4dt1 |      1     |
| 2  |  User02  | e8tdzjui56jn4fgvh635csd6trz6ghr8 |      2     |

By every login you set User Level to $_SESSION["userLevel"].

And at pages you want to protect you do following (at the cery begining of the document):

function UserLevel($level){
  if($_SESSION["userLevel"] == $level){
    header("Location: index.php");
    exit;
  }
}

And than you can sort users:

UserLevel(1); // Only user 1 can access this page
UserLevel(2); // Only user 2 can access this page
m1k1o
  • 2,344
  • 16
  • 27