-2

我使用数据库中的用户名和密码作为会话变量,但是当我注销时,我仍然可以通过浏览器的直接链接访问受保护的页面,这可能是造成这种情况的原因。这是我的 login.php:

//initialize the variables
            $username="";
            $password="";
            $_SESSION['username']="";
            $_SESSION['password']="";
            if(isset($_POST["submit"]) && @$_GET["username"] !==""){
                $username=$_POST["username"];
                $password=$_POST["password"];
                if(isset($_POST["username"]) && $_POST["username"]!=="" && isset($_POST["password"]) && $_POST["password"]!==""){
                    //sucuring the data
                    $username=htmlentities(mysql_real_escape_string(trim($_POST["username"])));
                    $password=htmlentities(mysql_real_escape_string(trim($_POST["password"])));
                    //checking if user does exist
                    $sql="SELECT email, password FROM ".$db_name.".user WHERE email=\"".$username."\" AND password='".md5($password)."' LIMIT 1";
                    $query=mysql_query($sql,$con);
                    $result=mysql_fetch_assoc($query);
                    //check query to c if is successfully optional
                    if(!$result){
                        print"No result";
                    }else{
                        //if combination found in our database then register session values";
                        $_SESSION['username']=$_POST['username'];
                        $_SESSION['password']=md5($_POST['password']);
                        //check location
                        $sql="SELECT location FROM ".$db_name.". user WHERE email ='".$_POST['username']."' LIMIT 1";
                        $query=mysql_query($sql,$con);
                        $result=mysql_fetch_array($query);
                        //no need of loop since we want only one field/single record/row 
                        $location=$result['location'];
                        header("Location:".$location."");
                    }
                }else{
                //do nothing
                }

            }

        ?>
        <form id="loginFrm" method="post" action="?lgn=getin">
            <fieldset>
                <legend>
                    Inshuz Login
                </legend>
                <table>
                    <tr>
                        <td>
                            Username
                            <div id="specify">Your email</div>
                        </td>
                        <td>
                            <input type="text" name="username" size="40" class="text" value="<?php print $username; ?>">
                        </td>
                    </tr>
                    <tr>
                        <td>
                            Password
                        </td>
                        <td>
                            <input type="password" name="password" size="40" class="text" value="<?php print $password; ?>">
                        </td>
                    </tr>
                    <tr>
                        <td colspan="2">
                            <input type="submit" name="submit" class="btn" value="Login">
                        <td>
                    </tr>
                </table>
            </fieldset>
        </form>

这个 login.php 包含在我的 index.php 中,下面是主页

    <?php   session_start(); require_once("includes/functions/url.php"); require_once("includes/config/config.php");?>
    <html>
        <head>
            <title>

            </title>
        <head>
        <link rel="stylesheet" media="all" type="text/css" href="css/main.css"/>
        <script type="text/javascript" src="js/jquery-1.8.0.js"></script>
        <body>
                <div id="wrapper">
                    <div id="header">
                        <div id="nav">
                            <a href="#">Home </a> | <a href="#">About us</a> | <a href="#">Products</a> | <a href="#">Services</a> | <a href="#">Carrers</a>
                        </div>
                    </div><!--end of header-->
                    <div id="mainContent">
                    <div id="RighContent">
                        <?php require_once("includes/pages/".@$page);?>
                    </div><!---RightCont--->
                    <div id="LeftCont">
                        afafhkashf
                    </div><!---leftcont--->
                    </div><!---end of maincontent-->
                    <div id="footer">

                    </div><!--end footer-->
                </div><!--end of wrapper-->
        <body>
    </html>

这是我的安全页面:

<?php session_start();
     require_once("includes/functions/url.php");
    if(!isset($_SESSION['username'])){
        header("Location: ../");
        exit();
    }
?>
<html>
    <head>
        <title>

        </title>
    <head>
    <link rel="stylesheet" media="all" type="text/css" href="css/main.css"/>
    <script type="text/javascript" src="js/jquery-1.8.0.js"></script>
    <body>
            <div id="wrapper">
                <div id="header">
                    <div id="nav">
                        <a href="#">Home </a> | <a href="#">About us</a> | <a href="#">Products</a> | <a href="#">Services</a> | <a href="#">Carrers</a>
                        <?php
                            //show logout
                            if(isset($_SESSION['username'], $_SESSION['password'])){
                                print " | <a href=\"includes/pages/logout.php?log=logout\">Logout</a>";
                            }
                        ?>
                    </div>
                </div><!--end of header-->
                <div id="mainContent">
                <div id="RighContent">
                    <h1>Welcome admin: <?php print @$_SESSION['username']; ?></h1>
                </div><!---RightCont--->
                <div id="LeftCont">
                    afafhkashf
                </div><!---leftcont--->
                </div><!---end of maincontent-->
                <div id="footer">

                </div><!--end footer-->
            </div><!--end of wrapper-->
    <body>


</html>

最后这是我的注销页面:

        <?php 
            ini_set('session.use_trans_sid', false);
            session_start();
             //require_once("includes/functions/url.php");
             if(isset($_GET['log']) && $_GET['log']=="logout"){
                if(isset($_SESSION['username'] , $_SESSION['password']) && !empty($_SESSION['username']) && !empty($_SESSION['password'] )){
                    unset($_SESSION['username']);
                    unset($_SESSION['password']);
                    header("Location: ../../");
                    exit();
                }
            }
        ?>
4

4 回答 4

3

Bellow 是您所说的注销功能。只是因为您取消设置Session[username] and Session[password]并不意味着您破坏了会话。有一个名为的函数session_destroy可以满足您的需求。有关其用法的信息, 请参阅此内容。

<?php 
                ini_set('session.use_trans_sid', false);
                session_start();
                 //require_once("includes/functions/url.php");
                 if(isset($_GET['log']) && $_GET['log']=="logout"){
                    if(isset($_SESSION['username'] , $_SESSION['password']) && !empty($_SESSION['username']) && !empty($_SESSION['password'] )){
                        unset($_SESSION['username']);
                        unset($_SESSION['password']);
                        header("Location: ../../");
                        exit();
                    }
                }
            ?>
于 2012-08-29T13:39:01.247 回答
2 
unset($_SESSION);
session_destroy();

你有没有尝试过?

于 2012-08-29T13:37:04.363 回答
1

在注销页面中使用它

<?php 
session_start();
session_destroy();
session_unset();
header("location:../index.php");

?>

和下面的安全页面代码

if($_SESSION['uid']==true){
}
    }else{
        header('Location:../');  
  }

我会推荐用户 ID 而不是使用用户名

于 2014-02-18T17:51:53.760 回答
0

除了上面所有关于session_unset()和的评论之外session_destroy(),您可能还想在浏览器中包含一些清除缓存的内容,以防止有人使用后退按钮或以其他方式重新加载页面。

header('cache-control: no-cache,no-store,must-revalidate'); // HTTP 1.1.
header('pragma: no-cache'); // HTTP 1.0.
header('expires: 0'); // Proxies.
于 2012-08-29T13:52:18.377 回答