Hey guys, I have another problem. I created 3 tables: admin, shopowner, normaluser. But when I login to the admin page and then go to the members page, I'm still logged in as admin on the members page. How would I make 3 different sessions or something so that the normalusers could not access the admin panel? Any help will be appreciated. Thanks,
Would it be possibel for you to create a enum for your user type. members woudl be the lowest value, admins the highest. Then each page and/or sub php page coudl check the user type using a greater than statement.
Yes, you need to make some kind of separation of them in the session. e.g. $_SESSION['isAdmin'] $_SESSION['isShopOwner'] $_SESSON['isUser'] etc.. set and check them based on privileges
yup, using different sessions will solve your problem and as a professional web dev, that is also the solution I offer
Here is a link to a type safe enum class for php http://www.phpclasses.org/package/6021-PHP-Implement-enumerated-values-as-class-functions.html Here is another one on implementing enums in php http://it.toolbox.com/blogs/macsploitation/enums-in-php-a-native-implementation-25228 In other languages you would then implement an enum like userType, and its values would be something like Root,Admin, Superuser, User. You could then have the page be made of separate include in php The first line of each include would have a check for the minimal user type to view the section if userType > User or if userType > Admin Then you only need one session variable for usertype, the logic is simpler, so less likely to be vunerable to user escalation. This should be checked on every sub section of the page. Example years ago, I was a consultant for a large company. I would get sent out to different banks and companies to do white-hat testing of their new applications. I was testing a banks lockbox application. So they had a check on the page to ensure the correct individual would only be able to see the check data for their account. That page had an image, that the source was calling a .jsp page to get the check image. That page didn't do the check. So I was able to create a small program that went through and downloaded any check I needed with just the check number. That is why I suggest the check be done at the section or element level.
You could do it also with just settign a numeric value for the user type, that may seem simpler, but then you need to checkoutside of the bounders, like if a person uses a session poisenign attack to set their usertype in your state object to be greater that your highest defined usertype, or a negative number. It may have a false positive effect allowing them access to page elements you do nto want them to see, If they did that with an enum, your page will through an exception instead.