Hi

I have to write a CMS that does something! I also have to make a user accounts area for the super user to add users and also define their permissions in using different parts of the control panel.

If it's a normal verification script, looking up the username & password in a database, I could write it in an include file and include it in all my pages. But what I have in here is really different, I don't wana check for the user permissions in all the pages. In order to get around it, I came up with this:

I check the username & password in the first page of the control panel, if it's valid, I set up a session variable with the value of "true", and then I make an array that contains the permissions that the user have, like Editing, Adding and etc.
So, in the other pages, I just check if that first session variable is true, and if yes, I lookup the permissions array and if he/she has correct permissions to use my page, I'll allow him/her to do so.

So, what do you think? Instead of checking for the username & passwords in all the pages, I'm just doing it in one page. Is there any security hole in this?! Can anyone fake a session variable?

hmmm yes and no if that helps.

Yes it is possible to hijack a session but you can take precautions to make that harder to do.

When you authenticate , store the username and/or user table ID in a session variable along with the IP at the time of authentication, then whenever you check if a user is authenticated, check that the IP also matches.

Still not impossible to spoof but harder for sure.

+ If you can enforce that the user has cookies enabled do so.

If you are especially paranoid you can use a database to manage your sessions though that does have a slight performance impact.

+Setting our own session_save_path directory can also help throw the blighters off course

Well, you mean it's better that I check the password in each page. What I had in mind was to register a simple session variable like $isAllowed in the first page. I put 1 in it if the user is authenticated or 0 if not, then in the other pages I only check if $isAllowed == 1. May you say how could someone fake my session variable?

You know, I have to write a username/password system that let the super user define some permissions. For example a person is allowed to Add data, but is not allowed to Delete anything. Since we have lots of options, I thought it's better that I check his/her username/password in the first page, and I make some session variables like allowed2Add, allowed2Edit and etc. So, in the other pages I should only check if that variable is registered and then excecute the proper function. Don't you think that it's easier?! Probably not safer, huh?!

Sorry I did not make myself clear , but I don't think there is anything wrong with what you are doing.. , I do very similar myself though I do keep a session variable with the users ID and the login IP address, checking that the current IP is the same as the login IP and that the user can only modify data relating to that users ID should be safe enough for most work.