Member Avatar for dyingatmidnight

I realize this probably isn't something that can be done, or probably something that shouldn't be done. But here's my situation. Perhaps someone knows of a better way to go about it than I do.

I have two sections that both have logins. Admin and Members. Some Admins can access the Members section and I don't want them to have to log in twice. I also don't want logging out of one area to log them out of both - so I used session names to separate the two.

Is there a way for me to check if the session named 'admin' exists and if so to hand it's values over to the portal session? Or perhaps there's a better way of going about this that I simply haven't found yet?

  • 4 Contributors
  • 7 Replies
  • 260 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by diafol

Recommended Answers

All 7 Replies

Member Avatar for JorgeM

Without knowing how you implemented the logic...

I think there may be a few ways to go about this. Have you considered introducing the concept of a role? For example, when a user logs in, maintain a session variable that stores a role. If the user is an admin, then the user should have access to both sections.

It also sounds to me like you may want to consider having one login app to handle both users and members.

Member Avatar for diafol

You could do as phpBB does and have a single login for all. Then if you need to access the admin area, you have to log in again (same details).

Member Avatar for Dani

Do you currently use cookies to log people in? Is that working successfully for you already?

As Jorge pointed out, different members can have different roles/groups/etc tied to their accounts in the database. When you check their login information against their credentials in the database, you can see what kind of person they are and show them the right information.

Member Avatar for dyingatmidnight

See the problem is I'm tweaking someone elses work so it's kinda all over the place. At first we were just adding on a members portal, where members could log in and view events and what not. But we wanted to keep the members separate from the admin users so I split it up into two tables. There are admin roles and members roles.

But after that someone decided that the admins who had access to the portal side data should be able to log into the portal to see that the data was displayed properly (or something to that effect, like I said, it's kinda all over the place). Which okay that was fine, I just had to tweak it so it checked both the admin and members tables for permission. And the after that someone decided it might be nice if they didn't have to log into the portal if they were all ready logged into the admin section.

So basically, I do need to consolidate it back to one script and go from there, rework the logic a little since it's gotten kind of fragmented.

That then leads me back to is there a way that the log out script only works for one section. Like if I log into both admin and portal but only log out of the portal section that it doesn't destroy the entire session. I suppose I could just unset the relevant varibles somehow....

Member Avatar for diafol

THis isn't very different to the phpBB method I mentioned.
However you need:

One users table (members, admins etc) and supply roles.

Everybody can log in using the same login form.
You can display a log into 'admin area' if the user is an admin. You can decide whther or not they need to log in again. It's not a bad idea to do so - it may prevent an user getting into the guts of your site if they happen upon an admin's 'normal user' mode.
Anyway, once logged in again (or not) - the admin can enter the admin area and do whatever's needed. In this area, you could have a 'logout from admin area' link, which would just log them out of the admin area and still leave them logged in as a general user (but with the admin area link visible).

For this I'd use sessions: you only need to propogate 3: user_id (integer), user_role (integer), admin_area (bool). You get the rest of the info every time on new page load, unless you want to carry username etc in session vars - up to you. So as you;'ve guessed, the 'admin_area' holds the info as to whether the admin area is available to the user.

BUT, that's just my take. Dani is the real expert here - she built this version of DW from scratch.

Member Avatar for dyingatmidnight

Even if I leave the two forms and tables separate I'd still get the same functionality. So I don't think that part needs to reworked.

The part I need to fix is on log out.

Say the admin logs into the admin section and then they go to the members portal. It checks to see if they are all ready logged in and verify they have access (I've all ready got this set up). The trouble is when they log out (because it's using destroy_session()) it logs out of everything. So what would be a better way of handling the logging out? At this juncture reworking everything isn't really an option sadly.

Member Avatar for diafol

This is what I was discussing. The logout on the admin pages doesn't destroy the session, it just unsets the session variable for $_SESSION['admin_area'].

admin_logout.php

if(isset($_SESSION['user_role']) && $_SESSION['user_role'] == 'admin' && isset($_SESSION['admin_area'])){
    unset($_SESSION['admin_area']);
}
header("Location: /index.php");
exit;

This now allows admin to continue to use the member site (logged in) but s/he cannot access the admin area unless s/he logs in again via the admin login form.

This is just an example - as I said, similar to the functionality on phpBB

Edited by diafol
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.