-1

Hi everyone I've done research and i can't seem to figure out what my code is doing. I know that session variables should change unless changing them or removing them. I don't think the issue is specific to the browsers back button either because the variable in question doesn't seem to work when accessing another page forward it just works on the home into another page but when i access another page it doesn't seem to work.

I am building a custom CMS ( has to be ccustom, i already pondered all the other options) Im basically doing a Access control script. First i tried it by storing the user role or user type in the session as a variable but it wouldn't work when pressing back or going a third page in. The variable is used to show menu links depending on the user type.

this is how i check for my session 

$now=time();
if (!isset($_SESSION)) {
  session_start();
}
if (!isset($_SESSION['session_user_name']) || $now - $_SESSION['session_start']>60*60){
    header('Location:login.php'); 
    exit;
}else{
    //$user_name        = $_SESSION['session_user_name'];
    //$user_type        = $_SESSION['session_user_type'];   
}

require(CMS_ROOT.'/classes/acl.php');
$user_role  = new ACL();
$user_type  = $user_role->userRole;

this is my ACL class

class ACL
{

    var $userID = 0;            //Integer : Stores the ID of the current user
    var $userRole = '';    //String : Stores the roles of the current user

    function __constructor($userID = '')
    {
        if ($userID != '')
        {
            $this->userID = floatval($userID);
        } else {
            $this->userID = floatval($_SESSION['session_user_id']);
        }
        $this->userRole = $this->getUserRole();
    }
    function ACL($userID='')
    {
        $this->__constructor($userID);
    }
    function getUserRole()
    {
        global $table_prefix;
        $user_id = $this->userID;
        $strSQL = "SELECT user_type FROM ${table_prefix}users WHERE user_id = $user_id" ;
        $data = mysql_query($strSQL) or die(mysql_error());
        $resp = 'null';
        $row = mysql_fetch_assoc($data);
        $resp = $row['user_type'];

        return $resp;
    }
}

and this is the menu

<nav>
<ul>

      <?php echo $user_type; if($user_type == 'administrator' || $user_type == 'manager'){?>
      <li><a href="<?php echo $cms_path; ?>/index.php">Home</a></li>
      <? } ?>
      <?php if($user_type =='administrator' || $user_type == 'manager'){?>
      <li><a href="<?php echo $cms_path; ?>/users/user_view.php" >Users</a></li>
      <? } ?>
      <?php if($user_type == 'administrator' || $user_type == 'manager'){?>
      <li><a href="<?php echo $cms_path; ?>/clients/client_view.php" >Clients</a></li>
      <? } ?>
      <li><a href="<?php echo $cms_path; ?>/albums/album_view.php" >Albums</a></li>
      <li><a href="<?php echo $cms_path; ?>/logout.php">logout</a></li>
    </ul>
</nav>

I hope someone can help or steer me in the right direction.

Xavier Serrano
  • 19
  • 7
  • 2
    Just as a suggestion, I would propose not reinventing the wheel here and instead go with using a well established framework, (Laravel is my favorite - http://laravel.com/docs/5.1) and leveraging prebuilt user management libraries (like confide https://github.com/Zizaco/confide). There are so many little security nuances that go into building a solid authentication system that these libraries can take off your plate – Jonathan Crowe Jun 26 '15 at 00:46
  • I didn't understand what is your problem. I understood you tried adding a variable to session and it didn't work. Did you serialize it? Also, you are commenting that `$userID` is an integer, but some lines after you're using `floatval()`, is it an integer or is it a float? – Fabiano Araujo Jun 26 '15 at 00:46
  • @Jonathan Crowe this is for a custom service solution so it has to be as custom as possible. it would be like wordpress building wordpress over a framework. we need to maintain as much control over the code as possible can't rely on whether the framework stays in active development and support over the foreseeable future it would affect the whole business idea. – Xavier Serrano Jun 26 '15 at 02:42
  • @FabianoAraujo the problem is that when i navigate/click through the navigation it should show me links depending on the user_type. it works when i login and then click on user but when i click inside user to modify a user it doesn't show me the other links. that happens also when i click on user and then click back to go to the index the links won't appear unless i do a refresh of the page. a refresh only works on index and when in users when im in modifying a user refreshing won't show the links as if its not pulling the $user_type variable – Xavier Serrano Jun 26 '15 at 02:45
  • @XavierSerrano obviously you know your application requirements better than me but just for your information, there is in fact a CMS built on top of laravel: https://octobercms.com/ And it is not analogous to building wordpress on top of wordpress, it is analagous to building wordpress on top of laravel, zend, yii, or any of the other plethora of PHP frameworks out therel. On top of that, Laravel 5.1 and other PHP frameworks have LTS which means you can be sure they will stay in active development and support over the forseable future. – Jonathan Crowe Jun 26 '15 at 07:10
  • OK it seems i got it working clicking forward on links as in it shows on all the pages correctly. the problem remains on the back browser button when i click on it it doesn't seem to get anything from the $_SESSION variable – Xavier Serrano Jun 26 '15 at 14:10
  • ok if anyone wants to know i figured it out needed to make sure it wasn't loading cache and it was forcing the script again. by adding a few headers i found here [link](http://stackoverflow.com/questions/24958586/session-empty-back-button-browser-cache) – Xavier Serrano Jun 26 '15 at 14:57

2 Answers2

1

Ok there are a few things i found out during this process.

1) most important think about security, if you are not a full on PHP security expert think about finding someone that is. I and my employer will have to do this at some point.

2) think about caching. The back button loads a cache version of the page so some dynamic elements get lost in the process.

for this make sure to use this code on, at least, your dynamic pages.

<?php // These headers tell the browser to not load anything from cache at all
// and force the browser to make a server request even on a Back click
// Allowing us to verify the token
header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");    // Date in the past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header ("Cache-Control: no-cache, must-revalidate");  // HTTP/1.1
header ("Pragma: no-cache");
?>

3) make sure you start session before you do anything else that will use the session.

4) look into PHP.ini variable settings specifically the ones related to sessions such as session.cache_limiter and session.gc_maxlifetimeyou can use ini_get() to retrieve values from PHP.ini variables and ini_set() to set said variables which is very usefull for almost anything PHP.ini related

thanks to everyone that responded every answer was helpful.

Xavier Serrano
  • 19
  • 7
  • this is an old question and surprisingly in the time that has passed i now would totally take the approach suggested in the comments above below my original question. I had problems with frameworks because of the argument of adding layers to an application in terms of how the software is built eg the programming language> the code/framework> the app. as it is i don't think anyone should be building 100% custom apps without the use of a framework. nowadays symphony or laravel(which is actually built on top of symphony) are both great starting points. – Xavier Serrano Jul 07 '16 at 21:49
0

There is no need to check the time out using 

$now - $_SESSION['session_start']>60*60

Session timeout is controlled by php config 

 session.gc_maxlifetime

Also there is no need to use floatval .. instead do the following 

 $this->userID = intval($userID);
Scalable
  • 1,550
  • 4
  • 16
  • 29
  • thanks ill take any comment although they didn't fixed the main issue i want the code to be as clean as possible. – Xavier Serrano Jun 26 '15 at 01:45
  • You should invest a little time [here](http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes) – Scalable Jun 26 '15 at 01:53
  • thanks i did that didn't solved it but it was pretty informative the `session.gc_maxlifetime` is set at 1440 which is the default – Xavier Serrano Jun 26 '15 at 02:45