I have 3 user types for my program. Employee, HR, and Vendor. Whenever employee is logged in he/she can only access pages available to the employee.
if( $usr->userLogin() ) {
echo "Welcome";
if($usr->user_type == "Vendor") {
$_SESSION['vend']='set';
header("Location:Vendor/vendorHome.php");
}
else if($usr->user_type == "HR"){
$_SESSION['hr']='set';
header("Location:HR/hrHome.php");
}
else {
$_SESSION['emp']='set';
header("Location:Employee/home.php");
}
}
else {
echo "Incorrect Username, Password, or User Type. Please Try<a href='index.php'> Again</a>";
At the top of each page I have this code which is different based on if its one of the 3 types.
?php
session_start();
if(!isset($_SESSION['vend'])) #If session is not set, user isn't logged in.
#Redirect to Login Page
{
header("Location:../index.php");
}
?>
While writing this application, this wasn't a problem until I realized that if I add another user to any type, the second user is able to access the first users pages, information and everything from the database. Is there any way to declare a second session ID based on user? How would I limit what information is available to each user based on type of user and the individual user themselves? is this even possible? I don't know how many users there will be for each type but I know that there will be multiple as in more than 5.
**EDIT:**Thank you for your suggestions. I will be improving my code with them. I don't think I explained my problem correctly though.
Lets say I have 2 Users of the Employee Type 'Jack' and 'Jill'. 'Jack' went through the application and added some forms that only he should see or be able to edit and logged out. When 'Jill' logged in she shouldn't have seen anything. That's not the case. 'Jill' logged in, and was able to see and edit everything 'Jack' could. Neither 'Jack' nor 'Jill' can access anything HR or Vendor related. That part of the session variables worked.
What about using the same SESSION variables for all users? Like $_SESSION["user_type"]= X;. Then you can just check on this variable.
I don't know if if possible to make multiple sessions but you can read first at the top of each webpage the user_type field and if it's the right user it can stay otherwise i should be redirected to the correct Home page. This way if the user HR types 'Vendor/vendorHome.php' the same behavior you have in login can redirect the user and prevent the vendorHome.php to be reader by other user.
Always create user_type field in the BD to filter your users instead in the session.
The session variable values are already user wise. So if you set a session variable for one user, they will only be set for that user. Any other user using the site cannot have the value of other users.
What you probably need is to save the user's id in the session along with the user's type which you are already saving. I would also suggest to save the type in one single session variable.
$_SESSION['user'] = // user's id from your db
$_SESSION['usertype'] = $usr->user_type;
And then simple include the same function on top of the page as follows
function validateUser($type) {
if(empty($_SESSION['usertype']) || $_SESSION['usertype'] != $type)
header("Location:../index.php");
}
And also call the function on top of each page
validateUser('vendor'); // and others for each page
Also make sure to include the file that has the validateUser function on top of each page. Probably something like this.
include('header.php');
And as for showing different data to different users, you will use the session's user id that you save above and add it (Safely) into a query to only show the user their own data.
makeDbQuery('SELECT * FROM foo WHERE user_id = ?', [$_SESSION['user']])
I imagined the above query mechanism, you will need to replace it with your own.
I would use one session variable and set its value to user's profile:
if( $usr->userLogin() ) {
echo "Welcome";
if($usr->user_type == "Vendor") {
$_SESSION['user_type']='vendor';
header("Location:Vendor/vendorHome.php");
}
else if($usr->user_type == "HR"){
$_SESSION['user_type']='hr';
header("Location:HR/hrHome.php");
}
else {
$_SESSION['user_type']='emp';
header("Location:Employee/home.php");
}
}
Then in each page you check if the user is logged an his user type/role:
session_start();
if(!isset($_SESSION['user_type']) or $_SESSION['user_type'] !== 'vendor') // vendor, or hr ...
{
header("Location:../index.php");
}
Your logic structure is using the names of variables as values, so you can do two things:
Set a single variable to hold all of these values.
Put these value varaibles into an array.
First example:
Setting:
$_SESSION['usertype'] = "emp";
= "hr";
= "vend";
Checking:
if($_SESSION['usertype'] !== "vend"){
...
Second example:
Setting:
$_SESSION['usertype']['emp'] = true/false;
$_SESSION['usertype']['hr'] = true/false;
$_SESSION['usertype']['vend'] = true/false;
Checking:
if(!$_SESSION['usertype']['vend']){
...
This has an advantage that you can then easily set a member to be in more than one category simultaneously.
header redirectons you should always stop the script execution with die or exit"set" which needs to be manually checked each time.