1

由于保存 cookie 不安全。无论如何要保持会话或设置会话到期,所以即使我关闭浏览器并再次打开它。它不会再次重定向我或再次要求我输入我的用户名或密码。

public function __construct(){
session_start();
$this->check_login();
}
public function check_login(){
if(isset($_SESSION['user_id'])){
$this->user_id = $_SESSION['user_id'];
$this->logged_in = true;
} else {
unset($_SESSION['user_id']);
$this->logged_in = false;
}
}

if (isset($_POST['submit'])){
$username = $database->escape_value($_POST['username']);
$password = $database->escape_value($_POST['password']);
$found_user = $user->authenticate($username,$password);
if ($found_user){
$session->login();
redirect_to('index.php');
} else {
$message = output_message("Invalid Username or Password <br />");
}
}else{
$username = "";
$password = "";
}
4

3 回答 3

2

http://www.php.net/manual/en/function.session-cache-expire.php

http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime

制作这个东西的更好方法是仅使用 cookie,因为 setcookie 包含超时

于 2012-10-21T09:08:12.683 回答
0

Session is only saved in the session cookie, so if the user clears the cookies the session will be removed. Cookies are not cleared when the user closes the browser. As per Ali's answer, check the lifetime of the session cookie.

If you are really interested in identifying a returning user without the use of cookies, google for "identifying user without using cookies". You will find interesting things to do, but nothing as reliable as cookie usage.

于 2012-10-21T09:15:48.973 回答
0

user_id用户成功登录后,您必须保存在会话中。

if ($found_user){
    $session->login();
    $_SESSION['user_id'] = $username;
    redirect_to('index.php');
} 

并确保$username是独一无二的。

于 2012-10-21T09:24:25.277 回答