Prevent access to moderator area

SeenGee

I'm doin a user admin thing for a site i'm working on, there are two levels of membership, one that enables moderator functions and one that just enables browsing. The mod will have the capacity to add new news items through entering info into html forms. I'm using sessions to carry a few variables around including username but i'm concerned that someone could jump direct to one of the admin pages and add or delete things. I dont want to set password as a session variable because the user has the ability to change their password which could make things messy ( i am using md5 to encrypt the passwords).

at the moment this is what i got, the user logs in at login.php, if successful login_success.php tells them what access they have to what parts of the site, for the mods there is a link to admin.php which in turn will have links to add_item.php and delete_item.php. I need to be able to protect all of the admin pages using the same password and username collected from login.php which authenticates it against my database b4 sending them to login_success.php. Ideally, i dont want to have to ask for the password and username on each page either.

Thanks.

bobthedog

Ok - so, you only authenticate on one page before letting someone roam the site???

Insane.....

You need to authenticate a user in some form or another on EVERY page. So - the idea works as such....

1, when a user vists a page, we check for a session variable which just says if they passed authentication

2, if it doesn't exist or isnt set correctly then redirect them to login

3, if they login then set the session variable. This doesn't need to be their password or username, for a basic system it is just a flag, i.e. a 1 or 0 value, 1 means authenticated anything else means not authenticated

This means password changes are something we don't care about because we don't need to know it after the login page.

Hope this makes sense.

SeenGee

thanks for the reply.

but why need i authenticate a user on every page when only a few pages will contain material that i need to hide. my sessions carry username around the pages but only to show the user that they are logged in, however i dont want users to have to log in to view everything because some users will not want to sign up in the first place, this is not to say i dont want these users to view the site.

Thanks.

bobthedog

ok - well, only check the session var on the pages you want to restrict then! In fact, you already have a flag you can use - their username.

So - on pages you want to stop unauthorised people getting into then just check that value is set. If it doesn't then prompt them to log in.

SeenGee

i've sorted it, i've just set user_level as a session variable when they activate their account, this way i just call this on each of the admin pages and if its not a user level for a mod then they cant access anything to change.

Thanks for the help and advice.