I have made a PHP application which will be used by many users. When a user logins, i create a session and keep the user id and some other details in the session. There are some ajax requests when the user edits his profile. So in no way i am exposing the user id. But i always refer to the session. Even when the user saves his profile, the controller gets the id from session and then passes it to the model.
Now there is an admin, who should be able to view/edit any profile. This is done. I have a admin page with a user table. When he clicks on any player, it goes to another controller, which creates the session for that user and then admin can edit the profile. Any requests that go from the admin page, the session is first erased keeping the admin variable active and then the user session is appended.
Problem: When the admin tries to view multiple profiles at once, he can do that. But when the admin tries to edit multiple profiles at the same time(open new browser tabs for each user), it fails because the the last tab what he opens sets the new session for that particular user.
How can I get over this scenario ? What options do i have ? Is it possible ?
I don't want to append user'ids on all urls. They are not safe, especially for urls which do update/delete.
The short answer:
if it is under the admin panel you may pass the id of an user, it is safe, you trust your admins right?
Long answer (my own idea):
Store the reference, unique id to the user, and pair it with the session variable.
For instance:
$_SESSION['editing_users'][YOUR_USER_ID] = uniqid();
then print it in the form.
After submitting the form you should get the variable, passed via input with hidden attribute.
Find the unique id in your session array, and get ID of the target user from the key.
Related
I currently have a file using $_GET['id'] = $userProfileNumber, to uniquely produce appropriate user data.
My question is: In order to make sure I redirect the user to their OWN profile should I be referencing "profile.php?=".$ownID in all profile links? Or is there an easier way? Thank you.
$ownID= id from email column upon login, used to represent logged in user.
You could store their ID in a session upon login and have profile.php get the ID from the session rather than the URL parameter using $_GET.
I would divide the answer into two major scenarios.
First scenario: The profile page is public. You are interested that each user would see the profile of his mate. In this case, I would totally agree with your way, as there are lots of users. Even here, on Stackoverflow, you can click on my profile below and witness the user id in the URL (with additional user name which is not required, just for prettiness' sake).
Second scenario: The profile page is private. It is merely intended for the use of the current logged in user. Here, I would go with the idea of Ben Fried - caching the repeated user data as a cookie or in local / session storage and pass it as a HTTP header / payload.
Security issues in this approach: you should consider an authentication mechanism. I.e generating an authenticated token on log in to be stored for a later use. In each request, validate this token and only then retrieve the desired and protected data.
Here is the idea for keep track of a user in an online-shopping website:
1 - When a user comes in for the first time, I'll create a random hash and I'll send this hash through a cookie to the user and simultaneously I'll create a user with this hash in my Users table.
In that table I will store many users data like: (and I use mongodb by the way)
* User page visit
* User choose products (means user cart in my shopping cart)
* User last login
and ....
2- When the same user comes again (say a day later), he will send that cookie (hash id) and I'll search into my database for that id and retrieve any data I want (e.g shopping-cart info).
I think this works fine and is a good way track the user (Do you agree on this?)
Problem :
What if a user cleans his browser history?
How do sites like youtube save our data (favourites and .... ) and even if I clear my browser or use another ip they had my favorites ready for me without logging into my account?
youtube-like sites store each and every details about the user interactions. For showing your favorites, your likes and other things it saves the data on the server. Whenever the user logs in, the users data will be shown. If you want to implement this, then it is better to go for cloud computing to manage data efficiently.
I want to add a product in the cart for the guest user
I have created on session by inserting the guest user information in database as follows in my header file which is been including on every view as common
<?php $this->load->view('common/header'); ?>
Below it is what I used at the top of my header file
<?php if($this->session->userdata('user_id')=='')
{
$this->home_model->addguestUser();
}
$info = $this->home_model->productinfo($ProductID);
?>
Now this calls the information is used by my home model to create a session according to user_id from database
The first thing I want is to stop to interact with the database because whenever anybody visits my site the data is add as guest in the database which is very dangerous if the number of people visits on my site increased
I want to create session without making any major changes in my current code and I want to create a session with some random variables and then use it to every page
My current flow of data is as follows
Whenever any persons visits my site then the guest user is created automatically.
Then this session is used throughout the site in the static page also
If the user goes and adds product in the user cart it will automatically gets added in the cart as well as in the entry goes in database
If he is the guest user and adds the product in the cart then after he clicks on the checkout page he will first ask to login to his id if he is registered user .
What I want the flow should be
As of now the database interaction for the guest user should not be there i.e if he is guest user then the database use should be not there.
But the session should be created for the guest user also.
For guest user don't add selected product into database but just store in session. Save data in session for guest user. Once they click for checkout ask them for login or register. After login add their saved(saved in session) data in database.
If they don't register or login, session would automatically destroyed when they leave your site.
Hope this is what you want.
I have set up a basic system where users can sign up, login and view their own profile. However, currently their information is displayed on the profile page using a SESSION variable to store their username. All other data is then based on this. However if they then view another persons profile, the information will not be correct because it will alter to show whatever result was pulled from $ session.
How would I create properly functioning profile pages. A good example of what I am trying to achieve would be YouTube. Whenever a user adds a comment, their username is attached, this then acts as a link to their profile.
I don't have any code for this. I wouldn't know where to start.
Because there is no code for me to try and help you out I will give you a few pointers.
First of all don't use the usernames of the users to identify and link them to their profile 2 or more people could have the same username then you are screwed, rather use their id's to uniquely identify them.
Keep the users data that is currently logged in, in the session variables because you don't want to lose this when he navigates away from the browse user profiles page.
If you use the users id's to identify them you can send their id through the url without to much of a security issue. So where you display all the users to view you can create a url that looks something like this href="user_profile.php?user_id=<?php echo $user_id; ?>". Then on the page where you want to view the user profile that has been selected you can use $_GET['user_id']. You can then use the id to get all the details for that specific user by querying the databse for a user with this user_id.
destroy the session while user logout. so you can got proper data
you are using session of username of user which is logged in.
so user who is logged in can view his own profile with session username.
if user want to view profile of another user then there you have two way to perform it.
Create another page to view any user profile. pass username as query string and find user information which you want to display.
or
2-Use same page of user profile for your own and other. and pass the username on this page whose information you want to display.
you have to apply a condition there that is -- if there is set a username pass through post or get method retrieve the information of the passed user. or if not set that retrieve the information of the user which is in session (own information)
Is it possible to edit the session data of a user who has logged in?
Eg. User norman logs in, and the following session cookie is set $_SESSION['addPost']=0
This means a user can add posts. Lets say I want to block that user from adding posts. I need to set that cookie to 1. Can i change the cookie value? Because, untill a user logs out and logs in again, it will not change, and he'll still be able to add posts.
How can this be done?
Do not edit the session variable. There's much better approach for this purpose.
Use one more column in users table named post_access. If you allow Norman to post, its value would be 1, while blocked user will get 0.
Let's say you have blocked a user from posting, so you have changed the value in post_access column to 0 in users table.
Now in the script of your post creation, before posting the data, make a condition if user's post access is set to 1 or not by comparing with the new queried user data from table 'users' using session name of author.
Sample:
$userdata = get( 1 from "users" where user = "$_SESSION['user']"); //don't mind the get function. Use your own QUERIES. Just mind the logic.
$post_access = $userdata['post_access'];
if($post_acess == 1){
//post the data
}else{
//Bro you are blocked
}
This would be most effective way to control posts.