i'm trying to add roles for certain pages on a small internal site i am running.
i assign the following sessions when user logs into the site login form;
// Register $username, $role Sessions and redirect
$_SESSION['username']= $username;
$_SESSION['accessLevel'] = $role;
$_SESSION['is_logged_in'] = true;
i then have the following on my logout.php page;
<?php
session_start();
session_destroy();
header("Location: ../login.php");
?>
i want to restrict page based on the users $_SESSION['accessLevel']
for instance only show page if $_SESSION['accessLevel'] == 'admin' else redirect to login page (or error page)
here is what i have on an admin page;
<?php
session_start();
if (!isset($_SESSION['username']) && $_SESSION['accessLevel'] == 'admin'){
?>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<p>ADMIN AREA!! </p>
<p>username: <?php echo $_SESSION['username'];?></p>
<p>Access: <?php echo $_SESSION['accessLevel'];?></p>
</body>
</html>
<?php
}
else {
header("location:../login.php");
}
?>
now the page redirects to login.php when i login using admin credentials if i remove the check i print_r the sessions are correct;
$_SESSION['accessLevel'] = admin
$_SESSION['username'] = testuser
where am i going wrong?
You want the username to exist, right now you are checking to see if it is not isset(). Update your conditional to:
if(isset($_SESSION['username']) && $_SESSION['accessLevel'] == 'admin') {
// HTML here
} else {
header("location:../login.php");
}
Also, a side note: if you ever have an edge case were you set a username value but not a accessLevel value, you will get a fatal error with this conditional. You should be making sure that the accessLevel is set to be safe:
isset($_SESSION['username'], $_SESSION['accessLevel']) && $_SESSION['accessLevel'] == 'admin'