Display menu according to session and security

[KALYAN23]

Early security issues:

I have a site with authentication (two different types of users). Thus, according to the type of user logged on, I want to display a specific menu.

When it connects, I open a session and attribute him his rights (eg $_SESSION['right_user'] = admin or user...)

Then when I open the page I retrieved the value of session and I compare:

Code:

switch($_SESSION['right_user'])
case "admin": include("menu_admin.php" );
break;
case "user": include("menu_user.php" );
break

My questions:
1 - Using "include" with session variables is secure? if it is not secure, ten what do you offer me?
2 - From a security point of view, the session variables are well protected?

[kelfro]

1 - yes, you can do that for testing out the contents of $_SESSION['right_user'] (you know where and how it changed)
2- yes. the issue is rather to point to change the value of its variable. If the user can act on the scripts that update the session variables, you have a risk.

[KALYAN23]

Thank you for your reply.

How a user can do it on the scripts? I try to document a maximum on the flaws of websites, can you provide an explanation or any other things that can be used to protect a website?

[XSI]

You just need to verify in menu_admin.php that your session is one of the admin ...

Later, at fault, everything that comes from the user is a potential hole (ie not necessarily reliable):
- The user agent
- Ip address
- The downloaded file
- The contents of $_POST
- The contents of $_GET
- ...

in short, everything that your customer does not read a page, but interact with it.