Member Avatar for iamthwee

So I always wondered this, probably a bit dense.

Let's say I've got a url string http://somelink.php?id=7

And that takes the user to another page which gives them access to something private.

But what is to stop the user replacing the 7 with say an 8 (manually editing the url string), thus taking the user to another page that is private but the system shouldn't be allowing that user to view?

Should I also be validating with a session id as well?

Thanks in advance.

Member Avatar for diafol

But what is to stop the user replacing the 7 with say an 8.

Nothing at all. This is one of the reasons you need to propagate sessions. Ensure that the permissions level of the logged in user (in a session var maybe) is sufficient for the querystring 'id'. If using a querystring - do not use it for making changes/updating/deleting/etc - just for reading/selecting.

Just to add, the key here is that you have personal data to show based upon the user accessing the data. So you need to know who is accessing the data so you only show that user's data.

A simple approach is to authenticate the user before you show any personal data. You can store the authenticated user info in a session variable or a cookie. Other alternatives as well.

Member Avatar for iamthwee

I think I understand so I store the user's session id throughout the site and check with the custom url. If something is fishy break out?

so I store the user's session id throughout the site and check with the custom url. If something is fishy break out?

Yes, this is one approach. Once you authenticate the user in which ever fashion you seem appropriate, store that information in a session variable (another common approach is to store this in a cookie so you dont have to re-authenticate the user every time the user access your site). The easiest way would be to store the user's userID.

This way, when a user accesses a page that is showing user data, you can verifiy whether or not the correct user is trying to access the user data that belongs to him/her. You do this by just comparing the value in the querystring with the value stored in the session variable.

If its the wrong user, redirect the user to a different page, or just display a different block of HTML code indicating that the user does not have permission to view the data.

Member Avatar for diafol

I used to just hold the user's 'id' in a session, nothing else. Using a user class, I'd then retrieve any info required by a particular page. This would include userlevel (permissions). So if a URL id had certain access rights, you could check whether the user had sufficient permissions to view the resource before allowing access. In itself, this is a pretty simple system.

Hi as JorgeM and diafol said you need to check if the user has the rights to access a certain page you need something like

   $level=$_SESSION['SESS_ACCESS_LEVEL'];
    if($level=='1')
    {
     header("location: access-denied.php");
                exit();
    }
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.