[RESOLVED] Sessions

thepeccavi

Hi, I have now finished (well, almost) a site with an admin panel!

Currently the admin panel uses .htaccess password protection, which is not quite what I would like! The site is based around "Teams", each one with their own menu item and page, currently, once you have logged on, you can edit any team's menu item or page.

I would like it for teams to be able to edit their own pages, but currently this is not secure enough... (each team should only be able to edit their own stuff)...

This, I think, needs sessions. My users should be:

A user for each of the 20 or so teams
and an admin user, who can edit everything

Things get more complex, however!... There are also some pages (sending newsletters etc.) that I would like only to be able to be done by the admin user...

Can anyone explain how I should go about this, or refer me to a good, well-explained tutorial?

Thanks

etully

Assuming that your .htaccess file and .htpasswd file have 20 team usernames, you can know which user logged in from an environment variable ($REMOTE_USER). Once you know that, you can make sure that reads and writes from the database are only allowed where the data is tagged with that user.
You can create a username in .htpasswd for just you (the master admin). The account could be called "thepeccavi". Then, in the admin tool, if the user is thepeccavi, then you don't constrain the reads or writes to the database.
You could dump the .htaccess authentication alltogether and use a <form> based login. Then, you are correct, you would need sessions to remember the username. This isn't much better or worse than the .htaccess solution except that you already have the .htaccess solution working so it's less work to stick with that. Items #1 and #2 above are still bascially true except that instead of getting the username from an environment variable, you get it from $_SESSION['username']. Six of one, half dozen of the other.
Regarding the Newletters getting mailed out, you have two options. One is to put the same kind of protection on it as above: That is, only perform the action if the username is thepeccavi. The other solution is to move the Newsletter section into a completely different directory (instead of admin) and that's probably the safer way to go. It's not a good idea to make the user's "My Account" area piggyback on the "Site Admin" area - too much risk that you'll make a mistake and let some Team captain send out newsletters on your behalf.

thepeccavi

Thanks.... I am now using the sessions (as i got VERY onfused with the whole $REMOTE_USER thing??)...

I now have a new problem!... I have created a login page (login.php) with a form. This puts the user's username and password into session vars ($SESSION[username] and $SESSION[password]) and checks the password for validity etc.

This works fine! I think, I have used this code to debug:

if(session_start()){
echo 'Session Started';
}
// Put $_POSTed vars into $_SESSION[].....

// Connect to DB etc...
if({password is correct}){
echo 'Logged in as ' . $_SESSION[username];
}

this always shows all the correct info!

Now, when I go to the index page, i have this code to check if a user is logged in:

// Do session stuff
if(!isset($_SESSION['username']) || !isset($_SESSION['password'])){
header("Location: login.php");
}
else{
// Do everything
}

The trouble is, I am ALWAYS forwarded to login.php! I have tried header() forwarding to index.php when you are logged in (in login.php) but it just forwards to back!

I'm sure that this problem is easily solved (I have never used sessions before)...

Thanks

qolbu

remember the session_start(); should be place on all page that you want to use SESSION otherwise the SESSION won't work.

thepeccavi

Thank you! Just shows how much of a n00b i am with sessions...

They aren't that difficult though are they...

Thank you again!