0

For a user with moderator privileges; When the user logs in do i query to check the user is a moderator, then set a session? So on pages with moderator options , for example 

if($_SESSION['mod']==1) {
//moderator options
}

Alternatively do i put a query on everypage and check if the user is flagged as a moderator? Then for moderator options, for example

if($moderatorfound==1) {
//moderator options
}

Below, I currently set the username as a moderator in a cookie but as i am learning about PHP security this is unsafe;

    if($moderator=='1') {
    setcookie('username[3]',$moderator,time()+(60*60*24*365));  
    }

 if($_COOKIE['username'][3]==1) {
    //moderator options
    }

What is the secure way to do this? Example would help.

Improve this question

2 Answers 2

Reset to default
1

Once the user logs in, store his information in session variables.
No need to check with the database on every page.
A cookie is not a good solution to hold sensitive information (such as privileges), since it might be altered by the user.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

so i would just do $_SESSION['moderator']=1; when logged in? Is that secure enough?
it depends by what you mean in "enough", but yes - generally it suffices.
0

In the cookie, set a complex code and save that in a database. If the complex code matches that of the username allow access.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.