0

I am developing a portal with PHP, and would need to implement a simple PHP authentication system which restricts access to certain pages depending on the credentials of the user.

I have a function CheckAuth() which takes a paramater (Integer). Ie, my database has five authorization levels 1-5. If I call CheckAuth(3) this will return true if the user has authorization level 3 or above. My code right now reads:

if(!CheckAuth(3) {
    die("Sorry, we were unable to deliver the requested content.");
}

The problem with this solution is that it will break the page's layout as other elements such as the page's footer will not be displayed.

What is the best way of conditionally displaying only a portion of the page?

Thanks in advance! Dario

function CheckAuth() {

require("config.php");

//User ain't been logged in?    
if(!isset($_SESSION["login"])) {

    return 0;
}

//Alright user is logged in, lets check the level...
//1 = User, 2 = OP (or Admin)

$query = "SELECT * FROM delegations WHERE id=" . $_SESSION["login"];
$results = mysqli_query($con, $query);

while($row = mysqli_fetch_array($results)) {

        return $row["Level"];

}
}
MrD
  • 4,986
  • 11
  • 48
  • 90
  • This question might come in handy: http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables Please take into account that controlling authentication within the session variables can be manipulated – Daryl Gill Jul 24 '13 at 17:04
  • If you are adding die further code will not execute. You can try echo instead –  Jul 24 '13 at 17:05
  • Hi Daryl, thank you, I will look at your link. This is a small project, essentially login is mostly to deliver the right content to the right people so that there is no accidental editing of other people's content, but there is no "sensitive" or "prescious" information, therefore it is unlikely that somebody would want to violate the site. Basic security is in action (ie: prevention of sql injections etc) – MrD Jul 24 '13 at 17:06
  • Hi @FakhruddinUjjainwala, do you mean echoing the private information on "else" condition? – MrD Jul 24 '13 at 17:07
  • @DarioP Can you show your `CheckAuth($Arg);` function please? – Daryl Gill Jul 24 '13 at 17:09
  • Yes you can do that is it a part of page that is restricted to the user or entire page? –  Jul 24 '13 at 17:10

2 Answers2

1

Solution is not to use die() but to render another version of page.

if (!CheckAuth(3)) {
    // render error page
} else {
    // render normal page
}
JimiDini
  • 2,039
  • 12
  • 19
  • structured approach used by web-frameworks helps you a lot with this. but in the end, it just boils to this simple choice – JimiDini Jul 24 '13 at 17:07
0

You shouldnt ask for if (!CheckAuth(3)) you should better go the way of if (CheckAuth(3)) and display the Page data if the user has the permission to view the content, if not redirect him to a 403 page something like this

    if(CheckAuth(3))
    {
       //display page content
    }

    function CheckAuth($permissionLevel)
    {
    require("config.php");

    //User ain't been logged in?    
    if(!isset($_SESSION["login"])) {

      return 0;
    }

    //Alright user is logged in, lets check the level...
    //1 = User, 2 = OP (or Admin)

    $query = "SELECT * FROM delegations WHERE id=" . $_SESSION["login"];
    $results = mysqli_query($con, $query);

    while($row = mysqli_fetch_array($results)) {

      if($row["Level"] == $permissionLevel)
      {
        return true;
      }

    }
    header("Status: 403 Forbidden");
    header("Location: /403.html");
    exit;
  }
Sebastian Kraft
  • 119
  • 7