Two projects using same DB - users are able to see admin area!

This topic is locked

Two projects using same DB - users are able to see admin area!	9/27/2009 6:39:06 PM
PHPRunner General questions
W wfcentral author I know this would not be an issue if I created ONE project with all the views and security in that project. However, when I get into some projects I like to do the admin section as one phpRunner project and the member area as another phpRunner project. That way I can work on either project without fear of crashing the other. PROBLEM: I am finding that if the member somehow guessed the URL to the admin pages they have full admin access when they get there. Likewise, if I have the admin page open in one browser and the member page open in another browser and I logout of one of the applications - the OTHER application is also logged out. So, they are somehow linked together. How can I make sure they are seen as separate web applications in the browser?

Mark as Solved Mark as not solved

4 replies


J	Jane 9/28/2009
	Hi, session variables are common for all tabs in browser. I recommend you to create superadmin account for the admin section.


W	wfcentral author 9/28/2009
	I'm not sure how that will work... I'm actually using a different table in each project to control logins. So, here are a few tables tbl_gyms (id, username, password, gymname, info, address, etc) tbl_admin (id, username, password, email) tbl_plans tbl_pricing tbl_invoicing In the first project I set it up so that the username/password from tbl_gyms allows the gym owners to sign in and edit their info in tbl_gyms In the second project I have access to all the tables and get username/password from tbl_admin so the website owners can admin all data The problem I have is that if I login as a gym owner and then I put in the web address to a page in the "other project" it shows me as logged in with full access to all the tables. So, to follow your solution I would make it so that only an "admin" user could access these pages and then make all users in tbl_admin "admin" users based on something in that table (such as creating a field that says "admin" and setting it to 1). I can see how this would keep them out of the tables they should not be in... but it seems they would still be able to get into the tbl_gym list page and see items they are not supposed to be in... for example, in project1 they are only allowed to see and edit their own data... however, in project2 it is set so the person logged in (which is supposed to be admin only) can see and edit all data... Hi, session variables are common for all tabs in browser. I recommend you to create superadmin account for the admin section.


	Sergey Kornilov admin 9/28/2009
	No 'regular' user will be able to access admin section. Some browsers share sessions between browser windows. To create two independent sessions launch two different browsers i.e. Firefox and Chrome.


W	wfcentral author 9/29/2009
	okay, so if I have two projects and both use the page tbl_members_list.php and I setup one project so you have to be an admin to work there how will that affect the project where they access a page with the same name (tbl_members_list.php) in their project, but are only supposed to be able to edit their stuff. opening two independent sessions works fine for me - I'm worried about the security of my current projects - if someone were to somehow guess the URL to my admin area they could do all admin functions using their member login. So, I will create a "non-admin" account in my PROJECT2 (ADMIN AREA) and give that person no access to any pages in that project and see what happens. No 'regular' user will be able to access admin section. Some browsers share sessions between browser windows. To create two independent sessions launch two different browsers i.e. Firefox and Chrome.

4 replies

Mark as Solved Reply