Hi Martin,

I have a similar kind of setup with "user level", stored as a session
variable. Problem is that when the a user with level one access
uses a machine to open the browser it writes "level one" to the session
data, the next user going straight to the query.htm screen without logging
on also has level one access because the session data isn't destroyed when
the browser is closed by the previous user.

John.

"Martin Clifford" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I have my page set up to use sessions to track the users on my page.  The
best way I have found is to give each user a "user level" to identify what
areas they should or should not be in.  For example, if you have a page that
edits the news content on your site, you might set it up like this:

<?php

session_start();
if($userlevel == "admin") {
    include("adminpage.inc");
} else {
    include("accessforbidden.inc");
}

?>

Basically, if you're not logged in as a user with Admin rights, then you
don't get to see the page.  And since only YOU can declare what rights your
users have, I don't see a way to spoof this.  Unless of course the person
doing the spoofing KNOWS what variable you check to see access rights.  An
adaption of this script might help.

HTH

Martin

>>> "Youngie" <[EMAIL PROTECTED]> 07/08/02 01:50PM >>>
Hi Follks

I'm writing an application that requires the user to login to gain access to
the rest of the site.
The login dailog is on index.html, once verified by login.php the user is
presented with a menu from
which he can select several options option1.htm which executes a query
through option1.php etc,
option2.htm and option3.htm  and so on. But there's nothing stopping him
from bypassing the login completely
and just brining up option2.htm directly in the browser. I'm looking for
some kind of mechanism to set a
flag for a successful logon in index.php that can be tested in the other php
scripts.

I tried using a cookie and got that to work but the user can close the
browser, reopen and the cookie is still
set. I looked in to session variables but one page could seem to see the
session variable values set in the
login page, it saw the variable was registered but not the value it was set
to.

I know this has to be a simple exercise but I'm a newbie.

Thanks

John.



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to