Probs with a Login, 2 user levels

Elliott

Hello.

I am having some trouble stopping Logged in Users from accessing Admin Pages, and Vice Versa. I think it is the way im trying to determine the $logged_in value, but have tried every way i know how and its not working.

In its most basic form i have:

Student_login.php
check_login.php
test_student.php

and

admin_login.php
check_admin.php
test_admin.php

The check files are included on every page, as they have my connection string in there, and also decide if the user is logged in or not.

If not $logged_in is set to 0. Otherwise check_login sets it to 1, for a successful login, and chec_admin sets $logged_in to 2.

Now when i test this, and log in as a student, i can access the test_admin page. and same for the other way around.

This is in the test_admin.php page, ive tried every way of wording the if statement.

<?php
include('check_admin.php');

if ($logged_in !==2) {
	die('<p> Sorry you are not logged in, this area is restricted to registered members. <p> <a href="login_admin.php">Click here</a> to log in.');
}
?>

Heres the code from test_student.php

<?php
if ($logged_in !==1) {
	die('<p> Sorry you are not logged in, this area is restricted to registered members. <p> <a href="login_admin.php">Click here</a> to log in.');
}
?>

If i dont log into either login, then i get the correct error messages, but logging into 1, seems to log me into both.

Also when my login.php pages load....if im logged into admin, the student login says im logged in already.

but they have these in place...
Admin_login.php

if($logged_in == 2)
	{
		die('already logged in etc...

student_login.php

if($logged_in == 1)
	{
		die('

Any ideas please?

fikse

did you try:

if ($logged_in !=2) {

Elliott

yeah 🙁 just double checked it again.

Its as tho its just going straight past the if statement.

All admin pages use a completely different include file which sets logged in to 2.

Just cant work out why its letting me access it with logged_in =1

weird 🙁

fikse

before you try the if statement, echo out the $logged_in variable to see what it is...

mabye your storing a string?

try:

if ($logged_in != "2") { }

Elliott

ah thanks for that....it seems my include is changing the logged in value to 2.

I have check_login attached to all the student pages, and check_admin on all the admin pages.

Is there a better way or making 2 user groups rather than having php assign a 1 or a 2?

They both use different tables in the databse.

Could one way be to have everyone in the same database but have an admin field marked as yes/no?

fikse

if the fields are similar, and you can use one table, then having one column labeled permissions, could hold a value that sets what level of permissions they have....

they you could have another table to layout which permission levels have access to what...

what you're doing should work, for some reason you're not setting the variblle to the right value...

Elliott

hmmm the way of adding tables and permissions is a bit over my head at the moment but i see what you mean.

I have had a look at one of those self installing messgae boards and can see what you are on about.

I had a thought....it seems to be the check_login, and check_admin scripts that are causing the problem. they are setting the $logged_in value to whatever is needed for that page.

Instead of setting this every time...could i use a Session variable to store this logged in value, then i dont have to assign it every time?

Then if the session variable is wrong then it wont let me access the pages?

Would this work, or more so, is it secure? to some extent?

Elliott

Ive got it working now using the flag field in the database.

And put it on my login page too, so users cant log in as admin.

Thanks for the help and advice, was great.