我有使用php登录和注销功能的网站。
因此,对于登录,首先我调用以下函数:
function sec_session_start() {
$session_name = 'happiechef_session_ids'; // Set a custom session name
$secure = false;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location:index");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
然后我调用以下函数来检查来自mysql数据库的用户登录信息:
function admin_login($email, $pass) {
global $conn;
$query = mysqli_query($conn, "SELECT a_email, a_pass, a_id FROM admin_profile WHERE a_email = '$email' LIMIT 1");
$query_result = mysqli_fetch_array($query);
$a_id = (int) $query_result['a_id'];
$db_hash = htmlspecialchars($query_result['a_pass']);
$num = mysqli_num_rows($query);
if($num == 1) {
if (checkbrute($email) == true) {
// if true account is locked
return false;
} else {
if(verify($pass, $db_hash)) {
$a_id = preg_replace("/[^0-9]+/", "", $a_id);
$email = validate_data($email);
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['logged_admin_user'] = $email;
$_SESSION['logged_admin_id'] = $a_id;
$_SESSION['login_string'] = hash('sha512', $db_hash . $user_browser);
return true;
} else {
$time = time();
$query = mysqli_query($conn, "INSERT INTO login_attempt VALUES('', '$email', '$time')");
return false;
}
}
} else {
return false;
}
}
好吧,当我使用键盘中的F5 key多次刷新页面时,它会自动退出,有时当我访问其他页面时,它会要求我登录!它以某种方式摧毁了PHP会话。
有谁能告诉我代码中的问题是什么?
提前致谢。
更新:
以下是检查用户是否已登录的功能:
function admin_login_check() {
// Check if all session variables are set
if (isset($_SESSION['logged_admin_user'], $_SESSION['logged_admin_id'], $_SESSION['login_string'])) {
global $conn;
$user_id = $_SESSION['logged_admin_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['logged_admin_user'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if($query = mysqli_query($conn, "SELECT a_pass FROM admin_profile WHERE a_email = '$username' ")) {
$num = mysqli_num_rows($query);
if($num == 1) {
$result = mysqli_fetch_array($query);
$password = htmlspecialchars($result['a_pass']);
// if hash equals function is not exist
if(!function_exists('hash_equals')){
function hash_equals($str1, $str2){
if(strlen($str1) != strlen($str2)){
return false;
} else {
$res = $str1 ^ $str2;
$ret = 0;
for($i = strlen($res) - 1; $i >= 0; $i--) {
$ret |= ord($res[$i]);
}
return !$ret;
}
}
}
$login_check = hash('sha512', $password.$user_browser);
if (hash_equals($login_check, $login_string) ){
return true;
} else {
return false;
}
} else {
return false;
}
} else {
return false;
}
} else {
return false;
}
}
答案 0 :(得分:1)
如果删除session_regenerate_id(true)会话不应再销毁。
为什么会这样?
session_regenerate_id()将新会话ID替换为当前会话ID。会话信息将被保留。当您经常使用此功能(重新加载,AJAX等)时,您可以在会话中看到此效果。 PHP仅限一个正在运行的任务访问会话。如果您经常/快速运行session_regenerate_id()任务进入队列。所以发生了以下情况:
true)。