我使用我的数据库中的用户名和密码作为我的会话变量,但是当我退出时,我仍然可以通过浏览器的直接链接访问受保护的页面,这可能是导致此问题的原因。 这是我的login.php:
//initialize the variables
$username="";
$password="";
$_SESSION['username']="";
$_SESSION['password']="";
if(isset($_POST["submit"]) && @$_GET["username"] !==""){
$username=$_POST["username"];
$password=$_POST["password"];
if(isset($_POST["username"]) && $_POST["username"]!=="" && isset($_POST["password"]) && $_POST["password"]!==""){
//sucuring the data
$username=htmlentities(mysql_real_escape_string(trim($_POST["username"])));
$password=htmlentities(mysql_real_escape_string(trim($_POST["password"])));
//checking if user does exist
$sql="SELECT email, password FROM ".$db_name.".user WHERE email=\"".$username."\" AND password='".md5($password)."' LIMIT 1";
$query=mysql_query($sql,$con);
$result=mysql_fetch_assoc($query);
//check query to c if is successfully optional
if(!$result){
print"No result";
}else{
//if combination found in our database then register session values";
$_SESSION['username']=$_POST['username'];
$_SESSION['password']=md5($_POST['password']);
//check location
$sql="SELECT location FROM ".$db_name.". user WHERE email ='".$_POST['username']."' LIMIT 1";
$query=mysql_query($sql,$con);
$result=mysql_fetch_array($query);
//no need of loop since we want only one field/single record/row
$location=$result['location'];
header("Location:".$location."");
}
}else{
//do nothing
}
}
?>
<form id="loginFrm" method="post" action="?lgn=getin">
<fieldset>
<legend>
Inshuz Login
</legend>
<table>
<tr>
<td>
Username
<div id="specify">Your email</div>
</td>
<td>
<input type="text" name="username" size="40" class="text" value="<?php print $username; ?>">
</td>
</tr>
<tr>
<td>
Password
</td>
<td>
<input type="password" name="password" size="40" class="text" value="<?php print $password; ?>">
</td>
</tr>
<tr>
<td colspan="2">
<input type="submit" name="submit" class="btn" value="Login">
<td>
</tr>
</table>
</fieldset>
</form>
这个login.php包含在我的index.php下面,这是主页
<?php session_start(); require_once("includes/functions/url.php"); require_once("includes/config/config.php");?>
<html>
<head>
<title>
</title>
<head>
<link rel="stylesheet" media="all" type="text/css" href="css/main.css"/>
<script type="text/javascript" src="js/jquery-1.8.0.js"></script>
<body>
<div id="wrapper">
<div id="header">
<div id="nav">
<a href="#">Home </a> | <a href="#">About us</a> | <a href="#">Products</a> | <a href="#">Services</a> | <a href="#">Carrers</a>
</div>
</div><!--end of header-->
<div id="mainContent">
<div id="RighContent">
<?php require_once("includes/pages/".@$page);?>
</div><!---RightCont--->
<div id="LeftCont">
afafhkashf
</div><!---leftcont--->
</div><!---end of maincontent-->
<div id="footer">
</div><!--end footer-->
</div><!--end of wrapper-->
<body>
</html>
这是我的安全页面:
<?php session_start();
require_once("includes/functions/url.php");
if(!isset($_SESSION['username'])){
header("Location: ../");
exit();
}
?>
<html>
<head>
<title>
</title>
<head>
<link rel="stylesheet" media="all" type="text/css" href="css/main.css"/>
<script type="text/javascript" src="js/jquery-1.8.0.js"></script>
<body>
<div id="wrapper">
<div id="header">
<div id="nav">
<a href="#">Home </a> | <a href="#">About us</a> | <a href="#">Products</a> | <a href="#">Services</a> | <a href="#">Carrers</a>
<?php
//show logout
if(isset($_SESSION['username'], $_SESSION['password'])){
print " | <a href=\"includes/pages/logout.php?log=logout\">Logout</a>";
}
?>
</div>
</div><!--end of header-->
<div id="mainContent">
<div id="RighContent">
<h1>Welcome admin: <?php print @$_SESSION['username']; ?></h1>
</div><!---RightCont--->
<div id="LeftCont">
afafhkashf
</div><!---leftcont--->
</div><!---end of maincontent-->
<div id="footer">
</div><!--end footer-->
</div><!--end of wrapper-->
<body>
</html>
最后这是我的退出页面:
<?php
ini_set('session.use_trans_sid', false);
session_start();
//require_once("includes/functions/url.php");
if(isset($_GET['log']) && $_GET['log']=="logout"){
if(isset($_SESSION['username'] , $_SESSION['password']) && !empty($_SESSION['username']) && !empty($_SESSION['password'] )){
unset($_SESSION['username']);
unset($_SESSION['password']);
header("Location: ../../");
exit();
}
}
?>
答案 0 :(得分:3)
贝娄是您所谓的退出功能。只是因为你取消设置Session[username] and Session[password]并不意味着你破坏了会话。有一个名为session_destroy的函数可以执行您想要的操作。有关其用法的信息,请参阅this。
<?php
ini_set('session.use_trans_sid', false);
session_start();
//require_once("includes/functions/url.php");
if(isset($_GET['log']) && $_GET['log']=="logout"){
if(isset($_SESSION['username'] , $_SESSION['password']) && !empty($_SESSION['username']) && !empty($_SESSION['password'] )){
unset($_SESSION['username']);
unset($_SESSION['password']);
header("Location: ../../");
exit();
}
}
?>
答案 1 :(得分:2)
unset($_SESSION);
session_destroy();
答案 2 :(得分:1)
在退出页面中使用此功能
<?php
session_start();
session_destroy();
session_unset();
header("location:../index.php");
?>
AND安全页面的代码
if($_SESSION['uid']==true){
}
}else{
header('Location:../');
}
我会推荐用户ID,而不是使用用户名
答案 3 :(得分:0)
除了session_unset()和session_destroy()上的所有上述评论之外,您可能还想在浏览器中添加一些内容来清除缓存,以防止有人使用BACK BUTTON,或以其他方式重新加载页面
header('cache-control: no-cache,no-store,must-revalidate'); // HTTP 1.1.
header('pragma: no-cache'); // HTTP 1.0.
header('expires: 0'); // Proxies.