0

在我的网站上,我希望在有人使用管理员帐户登录时启用一些选项。我的问题是关于如何尽可能保护该管理员帐户。他们在我的网站上设置登录方式是在验证登录后,我这样做$_SESSION['status'] = 'authorized';,然后我说这样的话:

<script>
$(document).ready(function(e) {
    if(<?php echo ($_SESSION['status'] == 'authorized'); ?>) {
        $('#account_window').show();
    }
});
</script>

<div id="account_window">
    //account stuff
</div>

添加主帐户后,我正在考虑添加此内容$_SESSION['master'] = 'authorized';,然后在首页中添加以下代码:

<script>
$(document).ready(function(e) {
    if(<?php echo ($_SESSION['status'] == 'authorized'); ?>) {
        $('#account_window').show();
    }
});
</script>

<div id="account_window">
    //account stuff
    <?php if($_SESSION['master'] == 'authorized') { ?>
        <div id="master_account">
            //admin stuff like send users emails
        </div>
    <?php } ?>
</div>

但是我觉得这太容易了,这是一种安全的方式来验证主帐户吗?如果不是,那么最好的方法是什么?

4

2 回答 2

5

It might be tempting to just "hide" the admin interface from non-admins, but that's fundamentally bypassable if someone just injects the right HTML into the page (e.g. with a GreaseMonkey script), or generates the requests manually.

You have to validate every action in PHP in order to get any actual security. Therefore, you need to check that the user is authorized when they submit any forms or commit an action, in PHP.

于 2012-10-26T22:45:11.380 回答
0

You have to validate every action in PHP in order to get any actual security. Therefore, you need to check that the user is authorized when they submit any forms or commit an action, in PHP.

于 2013-09-03T23:08:53.970 回答