I don’t know if this question has been asked before, but I’ll go through with it.
If you were to make a system in PHP that allows users to register and login – including user levels. How entirely would you create this system. Remind yourself about sessions, what exactly is the best method you would do when being careful with sessions – this I mean by session hijacking when including passwords (hashed of course), user level, and so on. I find myself when coding a user login system, it’s a bad method when using sessions to show modules, like this:
if(isset($_SESSION['user']) && isset($_SESSION['user_level']))
{
if($_SESSION['user_level'] == 3)
{
// show admin tools
}
elseif($_SESSION['user_level'] == 2)
{
// show moderator tools
}
}
I even used something like this:
if(isset($_SESSION['user']) && !empty($_SESSION['user']))
{
$sql = "SELECT user_id, username, user_level
FROM members
WHERE username = '" . $_SESSION['user'] . "'";
$result = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result) == 1)
{
while($row = mysql_fetch_array($result))
{
$uid = $row['user_id'];
$u_name = $row['username'];
$u_level = $row['user_level'];
}
}
}
So when I use something like this:
if($u_level == 3)
{
// show admin tools
}
Would be a better example wouldn’t it be?
That’s basically bad. Here’s what I do:
I set a random session id (
sessionid) in the$_COOKIE[]array. I use cookie because I use ajax with php, which (i feel) makes things a little easier for me. Feel free to use$_SESSION.Then there’s a table in my database that tells me:
The users table tells me the
user levelof the user.Remember: Anything that you get from $_COOKIE is never 100% trustworthy. So never put sensitive information into them. Examples of what not to put in these variables:
Hope this helps,
jrh