Hi everyone I've done research and i can't seem to figure out what my code is doing. I know that session variables should change unless changing them or removing them. I don't think the issue is specific to the browsers back button either because the variable in question doesn't seem to work when accessing another page forward it just works on the home into another page but when i access another page it doesn't seem to work.
I am building a custom CMS ( has to be ccustom, i already pondered all the other options) Im basically doing a Access control script. First i tried it by storing the user role or user type in the session as a variable but it wouldn't work when pressing back or going a third page in. The variable is used to show menu links depending on the user type.
this is how i check for my session
$now=time();
if (!isset($_SESSION)) {
session_start();
}
if (!isset($_SESSION['session_user_name']) || $now - $_SESSION['session_start']>60*60){
header('Location:login.php');
exit;
}else{
//$user_name = $_SESSION['session_user_name'];
//$user_type = $_SESSION['session_user_type'];
}
require(CMS_ROOT.'/classes/acl.php');
$user_role = new ACL();
$user_type = $user_role->userRole;
this is my ACL class
class ACL
{
var $userID = 0; //Integer : Stores the ID of the current user
var $userRole = ''; //String : Stores the roles of the current user
function __constructor($userID = '')
{
if ($userID != '')
{
$this->userID = floatval($userID);
} else {
$this->userID = floatval($_SESSION['session_user_id']);
}
$this->userRole = $this->getUserRole();
}
function ACL($userID='')
{
$this->__constructor($userID);
}
function getUserRole()
{
global $table_prefix;
$user_id = $this->userID;
$strSQL = "SELECT user_type FROM ${table_prefix}users WHERE user_id = $user_id" ;
$data = mysql_query($strSQL) or die(mysql_error());
$resp = 'null';
$row = mysql_fetch_assoc($data);
$resp = $row['user_type'];
return $resp;
}
}
and this is the menu
<nav>
<ul>
<?php echo $user_type; if($user_type == 'administrator' || $user_type == 'manager'){?>
<li><a href="<?php echo $cms_path; ?>/index.php">Home</a></li>
<? } ?>
<?php if($user_type =='administrator' || $user_type == 'manager'){?>
<li><a href="<?php echo $cms_path; ?>/users/user_view.php" >Users</a></li>
<? } ?>
<?php if($user_type == 'administrator' || $user_type == 'manager'){?>
<li><a href="<?php echo $cms_path; ?>/clients/client_view.php" >Clients</a></li>
<? } ?>
<li><a href="<?php echo $cms_path; ?>/albums/album_view.php" >Albums</a></li>
<li><a href="<?php echo $cms_path; ?>/logout.php">logout</a></li>
</ul>
</nav>
I hope someone can help or steer me in the right direction.
Ok there are a few things i found out during this process.
1) most important think about security, if you are not a full on PHP security expert think about finding someone that is. I and my employer will have to do this at some point.
2) think about caching. The back button loads a cache version of the page so some dynamic elements get lost in the process.
for this make sure to use this code on, at least, your dynamic pages.
<?php // These headers tell the browser to not load anything from cache at all
// and force the browser to make a server request even on a Back click
// Allowing us to verify the token
header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header ("Pragma: no-cache");
?>
3) make sure you start session before you do anything else that will use the session.
4) look into PHP.ini variable settings specifically the ones related to sessions such as session.cache_limiter and session.gc_maxlifetimeyou can use ini_get() to retrieve values from PHP.ini variables and ini_set() to set said variables which is very usefull for almost anything PHP.ini related
thanks to everyone that responded every answer was helpful.
There is no need to check the time out using
$now - $_SESSION['session_start']>60*60
Session timeout is controlled by php config
session.gc_maxlifetime
Also there is no need to use floatval .. instead do the following
$this->userID = intval($userID);