我目前正在编写一个项目,要求用户在能够查看任何信息之前登录该网站。我目前正在跟踪用户是否使用名为“usernamelogged”的会话变量登录。我相信我的所有格式都是正确的。 登录后,您将进入主页面,我在其中设置(临时)print_r()会话数组。我还使用一个类来帮助防止会话劫持。
登录页面相关PHP:
<?php
include dirname(__FILE__).'/includes.php';//INCLUDES FILE
if ($count == 1) {// IF USERNAME AND PASSWORD ARE GOOD
SessionManager::sessionStart('LoginDetails', 10800, '/', 'localhost', true, $username);
$_SESSION['usernamelogged'] = $username;//Declare Session
header("location: members.php"); // Redirecting To Other Page
} else {
$error = "Username or Password is invalid";
}
?>
此处是问题发生的地方。在下面我有print_r()数组,其中提供了以下详细信息:
数组([IPaddress] =&gt; 截尾的IP [userAgent] =&gt; Mozilla / 5.0(Windows NT 6.3; WOW64)AppleWebKit / 537.36(KHTML,与Gecko一样)Chrome / 43.0.2357.81 Safari / 537.36)
然而你会注意到该数组中没有“usernamelogged”,就像应该有的那样。 这是您登录后收到的页面中的php:
<?php
include dirname(__FILE__).'/includes.php';
SessionManager::sessionStart('LoginDetails', 0, '/', 'localhost', true, $_SESSION['usernamelogged']);
print_r ($_SESSION);// TEMP
echo $_SESSION['usernamelogged'];
$checkses = $sql->prepare("SELECT * FROM staff WHERE username=:user");
$checkses->bindParam(':user', $_SESSION['usernamelogged']);
$checkses->execute();
$count = $checkses->rowCount();
if (!$count == 1) {
echo "Error, you're not logged in";
print_r($count);//TEMP
//header("location: login.php");
die();
}
include dirname(__FILE__).'/header.php';
?>
最后,我用于会话劫持的课程:
class SessionManager
{
static function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null, $username)
{
// Set the cookie name
session_name($name . '_Session');
// Set SSL level
$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
// Set session cookie options
session_set_cookie_params($limit, $path, $domain, $https, true);
session_start();
$_SESSION['usernamelogged'] = $username;
// Make sure the session hasn't expired, and destroy it if it has
if(self::validateSession())
{
// Check to see if the session is new or a hijacking attempt
if(!self::preventHijacking())
{
// Reset session data and regenerate id
$_SESSION = array();
$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
self::regenerateSession();
// Give a 5% chance of the session id changing on any request
}elseif(rand(1, 100) <= 5){
self::regenerateSession();
}
}else{
$_SESSION = array();
session_destroy();
session_start();
}
}
static protected function preventHijacking()
{
if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
return false;
if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
return false;
if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT'])
return false;
return true;
}
static function regenerateSession()
{
// If this session is obsolete it means there already is a new id
if(isset($_SESSION['OBSOLETE'])){
if($_SESSION['OBSOLETE'] == true){
return;
}
}
// Set current session to expire in 10 seconds
$_SESSION['OBSOLETE'] = true;
$_SESSION['EXPIRES'] = time() + 10;
// Create new session without destroying the old one
session_regenerate_id(false);
// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
// Set session ID to the new one, and start it back up again
session_id($newSession);
session_start();
// Now we unset the obsolete and expiration values for the session we want to keep
unset($_SESSION['OBSOLETE']);
unset($_SESSION['EXPIRES']);
}
static protected function validateSession()
{
if( isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) )
return false;
if(isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time())
return false;
return true;
}
}
其他详细信息:
我无法想到更多细节。
我很乐意回答任何问题,感谢阅读和帮助!
修改
根据要求, 打印出$ _SERVER:
Array ( [UNIQUE_ID] => VWvIW2uWJsoAACKtzW8AAAAC [HTTPS] => on [SSL_TLS_SNI] => *Censored* [HTTP_HOST] => *Censored* [HTTP_CONNECTION] => Keep-Alive [HTTP_ACCEPT_ENCODING] => gzip [HTTP_CF_IPCOUNTRY] => US [HTTP_X_FORWARDED_FOR] => *CENSORED* [HTTP_CF_RAY] => 1ef79bdf5d900418-ORD [HTTP_X_FORWARDED_PROTO] => https [HTTP_CF_VISITOR] => {"scheme":"https"} [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 [HTTP_DNT] => 1 [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.8,es;q=0.6 [HTTP_COOKIE] => __cfduid=d616d6faa0ec4dd338e855665846ad2da1432945387 [HTTP_CF_CONNECTING_IP] => *CENSORED* [PATH] => /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin [LD_LIBRARY_PATH] => /usr/local/apache/lib [SERVER_SIGNATURE] => [SERVER_SOFTWARE] => Apache/2.4.12 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.40 [SERVER_NAME] => bbwatch.co.uk [SERVER_ADDR] => *CENSORED* [SERVER_PORT] => 443 [REMOTE_ADDR] => *CENSORED* [DOCUMENT_ROOT] => /home/bbwatchc/public_html [REQUEST_SCHEME] => https [CONTEXT_PREFIX] => [CONTEXT_DOCUMENT_ROOT] => /home/bbwatchc/public_html [SERVER_ADMIN] => webmaster@*Censored* [SCRIPT_FILENAME] => /home/***/public_html/members.php [REMOTE_PORT] => 35348 [REMOTE_USER] => *CENSORED* [AUTH_TYPE] => Basic [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /members.php [SCRIPT_NAME] => /members.php [PHP_SELF] => /members.php [PHP_AUTH_USER] => *CENSORED* [PHP_AUTH_PW] => *CENSORED* [REQUEST_TIME_FLOAT] => 1433127003.37 [REQUEST_TIME] => 1433127003 [argv] => Array ( ) [argc] => 0 )
另外,打印输出$ _SESSION:
Array ( [IPaddress] => *CENSORED* [userAgent] => Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 ) Error, you're not logged in0