I am currently developing an administration panel with PHP, MYSQL, it turns out that I have managed to make the account system but I currently have an error, and that is that I want the open session to be eliminated by being able to delete the information from the database.
Let me explain with an example: Let's say that user B has access to the administration panel by logging in with his account stored in my database, then for any reason this user was expelled from the team and when he deleted his account from the database, his session remains open and you can continue to manipulate the administration panel.
In my database is the users table where all users are stored.
So when you delete it from the database, your session is also closed and when you try to enter the panel, you are redirected to the login.php page and you cannot continue manipulating the panel because your account was deleted.
ADMIN PANEL IDENTIFIER
function usersOnly($redirect = '/admin/login.php'){
if (empty($_SESSION['id'])){
$_SESSION['message'] = 'Necesitas loguearte primero';
$_SESSION['type'] = 'error';
header('location: ' . '/admin/login.php');
exit(0);
}
}
function adminOnly($redirect = '/admin/login.php'){
if (empty($_SESSION['id']) || empty($_SESSION['admin'])){
$_SESSION['message'] = 'No estas autorizado';
$_SESSION['type'] = 'error';
header('location: ' . '/admin/login.php');
exit(0);
}}
EDIT: Database connection
<?php
$host = 'localhost';
$user = 'root';
$pass = '';
$db_name = 'blog';
$conn = new MySQLi($host, $user, $pass, $db_name);
if ($conn->connect_error) {
die('Database error connection' . $conn->connect_error);
}
What you propose should not represent any inconvenience because, in the session variables, you will save your
id
user name but nothing prevents you from refreshing what you have access to each time you reload the page.Let me explain: with the session variables you avoid asking the user for the password every time he reloads a page within his session, but it does not cost you anything, from
id
the user's point of view, to check if he still has access to the administration panel and, if you no longer have it, log it out.What is happening to you is that you have set up a club and you have distributed cards to the members, but you do not check the payments since they registered and, in this way, you do not find out when they stop paying their dues. How do you fix it? You have no choice but to check the payments every time they use the club. The card
$_SESSION
is not enough. It's fine for the first few days, but it's not good forever. You must check the payments with thequery
.Being practical, you should replace the
empty($_SESSION['admin'])
one that prevents you from being up to date with the latest that is recorded in the database, with one!$this->check_admin($_SESSION['id'])
wherecheck_admin()
you can define it as:Or its equivalent in PDO or prepared query, assuming you
$this->conn
have amysqli
.Leave me any questions in the comments.