Is it possible to edit the session data of a user who has logged in?
Eg. User norman logs in, and the following session cookie is set $_SESSION['addPost']=0
This means a user can add posts. Lets say I want to block that user from adding posts. I need to set that cookie to 1. Can i change the cookie value? Because, untill a user logs out and logs in again, it will not change, and he'll still be able to add posts.
How can this be done?
Do not edit the session variable. There's much better approach for this purpose.
Use one more column in users table named post_access. If you allow Norman to post, its value would be 1, while blocked user will get 0.
Let's say you have blocked a user from posting, so you have changed the value in post_access column to 0 in users table.
Now in the script of your post creation, before posting the data, make a condition if user's post access is set to 1 or not by comparing with the new queried user data from table 'users' using session name of author.
Sample:
$userdata = get( 1 from "users" where user = "$_SESSION['user']"); //don't mind the get function. Use your own QUERIES. Just mind the logic.
$post_access = $userdata['post_access'];
if($post_acess == 1){
//post the data
}else{
//Bro you are blocked
}
This would be most effective way to control posts.
Related
I'm searching for a solution to allow a user to be logged in only once at the same time. I'm new to Laravel and in this case I'm using it nearly out of the box (file session driver and default auth-handling with custom views).
My idea is to 'reset' the auth for a user after he logs in a second time, to automatically make all other active sessions invalid.
So my primary question is: Is there a way to accomplish this with some Laravel magic or do I need to invent this feature myself?
What you also could do is the following:
In your usertable, add one column:
sessionID (varchar or text)
Now what you want to do here is the following:
When a user logs in, store the ID of the session in the sessionID field. Everytime the user loads a page, or makes a request, check if the sessionID value in the DB is the same as the sessionID of the user that is logged in. If it isn't, kill the session and make him login again.
Now, when a user logs in, check the usertable if the sessionID value is already filled. If so, change it to the new sessionID. The result will be that all requests with the old sessionID will be invalid (because of your check) and the user can only access your webapp/website with the new session.
Thus this makes sure that your user is authed uniquely.
I have made a PHP application which will be used by many users. When a user logins, i create a session and keep the user id and some other details in the session. There are some ajax requests when the user edits his profile. So in no way i am exposing the user id. But i always refer to the session. Even when the user saves his profile, the controller gets the id from session and then passes it to the model.
Now there is an admin, who should be able to view/edit any profile. This is done. I have a admin page with a user table. When he clicks on any player, it goes to another controller, which creates the session for that user and then admin can edit the profile. Any requests that go from the admin page, the session is first erased keeping the admin variable active and then the user session is appended.
Problem: When the admin tries to view multiple profiles at once, he can do that. But when the admin tries to edit multiple profiles at the same time(open new browser tabs for each user), it fails because the the last tab what he opens sets the new session for that particular user.
How can I get over this scenario ? What options do i have ? Is it possible ?
I don't want to append user'ids on all urls. They are not safe, especially for urls which do update/delete.
The short answer:
if it is under the admin panel you may pass the id of an user, it is safe, you trust your admins right?
Long answer (my own idea):
Store the reference, unique id to the user, and pair it with the session variable.
For instance:
$_SESSION['editing_users'][YOUR_USER_ID] = uniqid();
then print it in the form.
After submitting the form you should get the variable, passed via input with hidden attribute.
Find the unique id in your session array, and get ID of the target user from the key.
I have developed a login page using PHP which is used by teachers and students for log-in.
After login , I can create a session variable to keep him/her logged in until he logs out.
$_SESSION['id']=12;
Now when they log-in for the first time I want them to enter extra information , by providing them with different forms depending on whether he is teacher or student.
Now my question is how will I identify the type of user during his session?
What changes do I need to make in Session variable or what extra information do I need to store?
(I already have created the database with default passwords for all teachers and students and now need to enter extra information from them as I described).
If you can retrieve the user's information on the fly from the database, the best thing to do (if there are only two roles and not extensive permissions) is add a role field to your users table.
Make it a boolean, so that 0 = student, and 1 = teacher.
You would then check for this using an if() statement to decide which form to display, e.g.
if($user_data['role'] == 0){
// Display student form
} elseif($user_data['role'] == 1) {
// Display teacher form
}
You could store this in a $_SESSION['role'] variable if you don't want to have to get this from the database every time you reload the page.
There are numerous ways to achieve this. If you’re storing the user ID in the session, then you can look up the user’s details and permissions based on their ID. So if you have a user_type column in the database table where you store whether the user is a teacher, student, goblin or whatever, then you can check the value of this in your PHP script.
If you need to save the infomations:username,password,teacher or student as flag in session,you can do flow,after log in,you save $_SESSION['username'], $_SESSION['password'], $_SESSION['flag'],then,the sessions will be as string,and saved in session file.
Let's make this easy,
i rather change my database, add one more column named "access" or "privilege",
1 for the teachers and 2 for the student,
you can filter the status, that define which menu should showed up.
I got a problem, when the user is logged, and I assign the user their id, for example, 126. But when I doing maintain, or delete some banned user, for example, the user id 126 will remove from the database, but the user 126 still have the number 126 in his session. How can I 'delete' his session content when I detect my database have user id is deleted? Thank you.
Sounds to me like you are worried about ID 126 being blocked even if it gets assigned to a new user.
Shouldn't be a problem, cause IDs in those cases (usally) get created in an auto increment fashion and the DB (MySQL for sure, most others probably, too) chooses the next higher value to the highest ever generated value in such an auto-increment field.
So if the highes assigned value was 1234, then you can delete what you want, the next value is going to be 1235.
So your problem is not really a problem as it seems to me.
There are 2 solutions that I can think of this,
1.) Store the user credentials in the db,
every time the user makes an action you can check for credentials then kick the user out if already banned. I don't think its
2.) cache the logged in users, the cache should be global so the banned user's session can be checked
Please help start in the right way . I want to add 'if user is online' system. Which I will use to prevent multiple logins under 1 name, also this system will add option to users showing them who is online at the moment.
I understand that I need mysql table where I will store online users. But how can I understand each second if user is still here? if he logs out then ok, it's easy, but if he will restart? or something else ? So how can I controll all users and understand per second their status ?
UPDATE After some discussions with Cupcake I decided to have only who's online feature, letting 1 user to log in multiple times, cause it's difficult to prevent him from doing that in a comfortable way.
renew this table record each time user requests a page, updating access time field.
delete from this table all records which access time field is older than some reasonable timeout like 5 min
to prevent multiple logins under 1 name you have to store session id in the users table.
when user logins, stire current session id in this field
every time user requests a page, compare this id against actual session id, and make user relogin
What you could do, which is what I sometimes do, is this, in the user table have a column named session_hash or something similar.
And each time the user logs in, generate a new session hash yourself or use the session_id PHP has, as long as you use session_start on each page.
Then to retrieve the users row from the database, have a cookie with that session_hash.
Example
Login form
Username: [ ]
Password: [ ]
Remember?: [*]
[ Login ]
PHP page does the following
User logs in ->
System generates a session_id or "salt"
Updates the users row with the session_id or "salt" value
Check if the value of the "remember" checkbox is true ->
Sets a cookie with that session_id or "salt" with a month or so expiration date
Otherwise just create a normal cookie with the value
Then on each page do the following
Check if the session_id or "salt" cookie is set ->
If it is, fetch the users row from the database
SELECT * FROM users WHERE session_id/"salt" = value of cookie
What all this does if lets the user choose if they want to be remembered each visit, if they do create a cookie that doesn't expire for at least a month that way they will be remembered next time they come to the site, but if they login from another browser or computer the "salt" won't be valid on the other computer.
Simply invalidate all old sessions of the user, once he opens a new one. In that way, he can only run one session (aka one login) at a time.