Newgrounds.com — Everything, By Everyone.

Alright, so on the site I have been working on I have a login system in which different types of users can log in. For now, I am only concerned with Admins and non-Admins. When an Admin logs in, a SESSION variable is set to differentiate them from those..."regular" people.

My quick and easy question is: is there any better way (in PHP) to verify that a user is an Admin than testing whether or not the SESSION variable is set? Right now I have a check on every admin page that sends the person to the home page if they are a regular user trying to access an admin page by typing th address directly into the browser. However, I feel like this SESSION checking system is not exactly enough.

To be honest, I feel like my site is going to fall apart at any moment and the PHP code I am using is merely duct tape trying to hold together a falling building.

At 3/2/08 08:37 PM, blindnil wrote: Alright, so on the site I have been working on I have a login system in which different types of users can log in. For now, I am only concerned with Admins and non-Admins. When an Admin logs in, a SESSION variable is set to differentiate them from those..."regular" people.

My quick and easy question is: is there any better way (in PHP) to verify that a user is an Admin than testing whether or not the SESSION variable is set? Right now I have a check on every admin page that sends the person to the home page if they are a regular user trying to access an admin page by typing th address directly into the browser. However, I feel like this SESSION checking system is not exactly enough.

To be honest, I feel like my site is going to fall apart at any moment and the PHP code I am using is merely duct tape trying to hold together a falling building.

I'm very familiar with the falling apart feeling; but 99% of the time it's unfounded, trust me. With PHP I always seem to get stuck fixing other peoples' fuck ups, and in my experience it's the ones that are oh-so-bloody-sure of themselves that make the greatest number and quality of them.

Like take file uploads for example; with the frankly silly number of things that can go wrong with them, it's a wonder that they actually ever work. But they do pretty much all the time once you get all the actual upload html form right.

Anyway, the alternative is to get their session, tie it to their user id and query the database for their credentials every page load, which is not ideal. The only downside to the method you're using now is if you promote someone to admin while their already logged in; it won't take affect until they login next.

Users can't access session variables unless you do something silly like $_SESSION['variable'] = $_POST['variable']. (If you do have to do this, validate your user input!) Sure, sessions may be a dirty great hack on top of http, but they're a good hack.

If you feel it's really bad, rewrite it again from scratch! You know what you're doing now and it's a personal project right? You can afford to play with it until you're happy with it; you don't have some fugly deadline looming over your shoulder.

At 3/2/08 09:36 PM, BoneIdol wrote: If you feel it's really bad, rewrite it again from scratch! You know what you're doing now and it's a personal project right? You can afford to play with it until you're happy with it; you don't have some fugly deadline looming over your shoulder.

Thanks for the encouragement, I needed it.

However, it's not a personal project. I am working on one of the departmental websites for Southern CT State University, and while I am not the greatest programmer in the world, what was there before was an atrocity so horrific that I could barely stomach it, and it was easy to improve upon it. I am very experienced and confident with html and css, and so redesigning the appearance of the site was something that I enjoyed and feel very proud of.

However, when I started with the site about a month ago I was not all that confident with PHP, and so as I write the code I always get the feeling that I'm missing something - like someone could hack into the site in a matter of seconds. Though, I feel much more confident now after working on the site for a month and when I really think about it, the site feels pretty solid to me because I've really put the work into it.

Although there's technically no real deadline and I am ahead of the game, there's no way I'm rewriting it, LOL. I just needed some reassurance. Quick additional question: is it okay to use header("Location: xxxxxx"); to change to xxxxx page after a user tries to go to a page they don't have access to? Or is there a better way? Something about header seems very hackish to me.

Could just add a field to the member table for "rank" and use an if statement to redirect if their rank isn't "admin." I think.

At 3/2/08 10:09 PM, That-Is-Bull wrote: Could just add a field to the member table for "rank" and use an if statement to redirect if their rank isn't "admin." I think.

yeh that's essentially what I'm doing, just wanted to see if that was the best way to do it.

At 3/2/08 09:54 PM, blindnil wrote:

At 3/2/08 09:36 PM, BoneIdol wrote:

However, when I started with the site about a month ago I was not all that confident with PHP, and so as I write the code I always get the feeling that I'm missing something - like someone could hack into the site in a matter of seconds. Though, I feel much more confident now after working on the site for a month and when I really think about it, the site feels pretty solid to me because I've really put the work into it.

If you have fears about security, you could always post some code here and have people audit it. I k

Although there's technically no real deadline and I am ahead of the game, there's no way I'm rewriting it,

I know you just said you don't feel like rewriting it, but if you still have serious concerns over security, you may want to consider using a framework such as cake php or zend framework. It will shorten developer time and come with authentication modules built in.

Quick additional question: is it okay to use header("Location: xxxxxx"); to change to xxxxx page after a user tries to go to a page they don't have access to? Or is there a better way? Something about header seems very hackish to me.

There may be the issue of a small number of users disabling redirects, but I wouldn't sweat it. If you don't like sending headers, you can just include the html file for output via an include statement.

At 3/2/08 11:20 PM, blindnil wrote: yeh that's essentially what I'm doing, just wanted to see if that was the best way to do it.

Yeah, that's actually the best way. It's simple, easy, and it works.

However, if you want to go for something that makes you feel a little more secure (I know the feeling :P), you can create your sessions to go by username and a hashed password. Then compare those against the database whenever you want to log in, and the database can tell the script if the user is admin.

Then, if you really want to go for overkill (and feel even that much better about yourself), you can combine what you're doing now with that one. Have a session for username, hashed password, AND rank, then compare all of them against the database.