1

客观的

仅为经过身份验证的用户提供库存管理功能。

问题

当我使用我的 jQuery 登录对话框伪造登录并单击 [连接] 时,没有输入任何凭据,Javascript 警报显示我已通过身份验证。

当我导航到库存部分时,我看不到任何管理按钮。那很好,但是为什么 PHP 会返回经过身份验证的用户呢?

当我正确进行身份验证时,Javascript 警报仍然显示我已通过身份验证,但在页面刷新后我看不到任何管理按钮。怎么了?

代码示例

该网站的入口点:index.php

<?php 
require_once "security/logout.php";
logout();
session_start();
$now = time();
$_SESSION["authenticated"] = false;
$_SESSION["expires"] = $now + strtotime("20 minutes");
$_SESSION["last_activity"] = $now;
?>

logout.php

<?php
function logout() {
    $sid = session_id();
    if (empty($sid)) session_start();
    session_unset();
    session_destroy();
    session_write_close();
    session_regenerate_id(true);
}
?>

authenticated.php

该文件用于require_once需要设置会话的每个 php 文件。有点像使用session_start()每个 PHP 文件。

<?php 
require_once "security/logout.php";

$sid = session_id();
if (empty($sid)) session_start();

if (!isSet($_SESSION["expires"]) 
    || !isSet($_SESSION["authenticated"]) 
    || !isSet($_SESSION["last_activity"])
    || $_SESSION["expires"] < time()) {
    logout();
    $now = time();
    $_SESSION["authenticated"] = false;
    $_SESSION["last_activity"] = $now;
    $_SESSION["expires"] = $now + strtotime("20 minutes");
}
?>

login.php

<?php
require_once "security/authenticated.php";

require_once "data/data_access.php";

$userName = "";
$password = "";

if (isSet($_REQUEST["userName"])) $userName = $_REQUEST["userName"];
if (isSet($_REQUEST["password"])) $password = $_REQUEST["password"];

if (isAuthenticUser($userName, $password)) {
    session_regenerate_id(true);    
    $now = time();
    $_SESSION["authenticated"] = true;
    $_SESSION["last_activity"] = $now;
    $_SESSION["expires"] = $now + strtotime("20 minutes");
} else $_SESSION["authenticated"] = false;

// The line below is the server response reported by the Javascript alert().
echo $_SESSION["authenticated"] ? 'true' : 'false';
?>

编辑 #1添加data/data_access.php

function isAuthenticUser($userName, $password) {
    $sql = "select password from jmsports.users where login = :login";
    $cnx = createAndOpenDatabaseConnection();
    $stmt = $cnx->prepare($sql);
    $stmt->bindParam(":login", $userName);
    $stmt->execute();
    $result = $stmt->fetch();
    $isAuthentic = $result["password"] === $password;

    // Bool:strictBool only ensures that only true or false is returned.
    return Bool::strictBool($isAuthentic);
}

编辑#2添加了在服务器端显示/隐藏按钮的代码。

inventory-section.php

// This line below states that my authenticated session variable is false.
file_put_contents("debug.txt", $_SESSION["authenticated"] ? "true" : "false", FILE_APPEND);

<div id="newButtonDiv" style="text-align: center;">
<?php if ($_SESSION["authenticated"]):  ?>
    <button id="newButton">Add New Item</button>
<?php endif; ?>
</div>

任何帮助表示赞赏。谢谢!

4

1 回答 1

1

有趣的做法,试试这个...

function isAuthenticUser($userName, $password) {
    $sql = "select login from jmsports.users where password = :password and login = :login limit 1"; 
    $cnx = createAndOpenDatabaseConnection(); 
    $stmt = $cnx->prepare($sql);
    $stmt->bindParam(":login", $userName); 
    $stmt->bindParam(":password", $password); 
    $stmt->execute(); 

    // get column count... if it's > 0, authenticate...
    $result = $stmt->columnCount(); 
    return ($result) ? true : false ; 
}
于 2013-10-07T23:40:29.860 回答