I have a MySQL database. In that database I have table called users. In users I have username, password, role. If the role is 0 then it's a user. If the role is 1 then it's admin.
This is how the session set right now.
if($count==1){
echo "true";
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
}
else {
echo "Wrong";
}
This is what I have at the top of the pages:
session_start();
if(!isset($_SESSION['username'])){
header("location:login.php");
}
I am confused about how to check again the role though. For example, if it's role 1 = they get admin pages if role 0 - user.
Currently, I have only 1 admin, and this is how I've been given them authorisation.
But I am not sure if this is correct. I need explanations please.
if ( 'admin' == $_SESSION['username'] ) {
include('admin.php');
}
else {
include('user.php');
}
You should setup the role in the session and check not the username but it's role:
...
echo "true";
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
$_SESSION['role'] = $role;
...
if ($_SESSION['role'] == 1) {
include('admin.php');
} else {
include('user.php');
}
or as an alternative set an admin variable and always check if that exists when user logs in:
...
echo "true";
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
if($role == 1) {
$_SESSION['admin'] = true;
}
...
if (isset($_SESSION['admin'])) {
include('admin.php');
} else {
include('user.php');
}
You have database connection in login.php, right? Why don't you use the connection and get the role information of the user if username and password exists in the database of course, then according to that role value you redirect the user like (I made connection with a procedure and calling that procedure and loading informations) And within the if you have to make the control whether the user exists or not ; rowcount>1 for example :
$role = "";
$username = "";
$password = "";
$conn = oci_connect(---);
$stid = oci_parse($conn, "begin packageX.login(:username,:password,:role); end;");
oci_bind_by_name($stid, ":username", $username);
oci_bind_by_name($stid, ":password", $password);
oci_bind_by_name($stid, ":role", $role);
if ( $role == 1 and $username!="" and $password!="") {
header( "Location: admin.php" );
}
else if($role == 0 and $username!="" and $password!=""){
header( "Location: user.php" );
}
these two function will check if a session is present and check the users permission.
function confirmed_login(){
if(!isset($_SESSION['permission'])){
header('Location: login_redirect.php');
}
}
function permission_admin($permission){
if($permission != '1'){
header('Location: login_redirect.php');
}
}
function check_login($p) {
permission_admin($p);
confirmed_login();
}
simply call this function at the top of any restricted page like so:
check_login($SESSION['role']);