我想在用户点击退出链接时将用户注销,但它有效,但存在问题。当我单击注销链接时,用户将退出并转到标题页,但如果单击后退按钮,我将返回上一页而不再登录,这是不安全的。当用户注销时,我希望他们完全注销,重新登录的唯一方法是登录。有人可以帮忙吗?
<?php
include("connect.php");
//check if form is submitted
if ( $_SERVER['REQUEST_METHOD'] != 'POST' ||
! isset($_POST['signin']))
{
// looks like a hack, send to index.php
header('Location: index.php');
exit;
}
if (empty($_POST["usernam"])) {
echo 'fill in username to sign in';
}
if (empty($_POST["pw"])) {
echo 'fill in password to sign in';
}
$sql = "SELECT pw FROM users WHERE usernam = ?";
$stmt = mysqli_prepare($conn, $sql);
if ( !$stmt ) {
echo mysqli_error($conn);
exit;
}
$stmt->bind_param('s', $_POST['pw']);
$stmt->execute();
if ( !$stmt ) {
echo mysqli_error($conn);
exit;
}
// we found a row with that username,
// now we need to check the password is correct
// get the password from the row
$stmt->bind_result($hashed_pwd);
$stmt->fetch();
if ( password_verify($_POST['pw'], $hashed_pwd) ) {
// password verified
header('Location: home.php');
} else {
echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />';
}
?>
logout.php
session_start();
session_destroy();
header('location:index.php');
process2.php(登录):
include("connect.php");
//check if form is submitted
if ( $_SERVER['REQUEST_METHOD'] != 'POST' ||
! isset($_POST['signin']))
{
// looks like a hack, send to index.php
header('Location: index.php');
exit;
}
if (empty($_POST["usernam"])) {
echo 'fill in username to sign in';
}
if (empty($_POST["pw"])) {
echo 'fill in password to sign in';
}
$sql = "SELECT pw FROM users WHERE usernam = ?";
$stmt = mysqli_prepare($conn, $sql);
if ( !$stmt ) {
echo mysqli_error($conn);
exit;
}
$stmt->bind_param('s', $_POST['pw']);
$stmt->execute();
if ( !$stmt ) {
echo mysqli_error($conn);
exit;
}
// we found a row with that username,
// now we need to check the password is correct
// get the password from the row
$stmt->bind_result($hashed_pwd);
$stmt->fetch();
if ( password_verify($_POST['pw'], $hashed_pwd) ) {
// password verified
header('Location: home.php');
} else {
echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />';
}
答案 0 :(得分:1)
在上一页(以及需要登录的所有其他页面)中,您需要添加一个条件,检查用户是否已登录(即,是否设置了用户登录的会话变量)。这将仅在用户登录时显示内容。
让我详细说明一下,并帮助你举个例子:
index.php
session_start();
if(isset($_SESSION['username'])) {
echo "Welcome to my website! You are logged in.";
// do stuff...
else {
header("Location: login.php"); // redirects user to login page if the username session variable is not set
}
home.php
和所有其他页面应基于与上述相同的概念:
session_start();
if(isset($_SESSION['username'])) {
echo "page when user is logged in";
// do stuff...
else {
header("Location: login.php");
}
然后你需要将会话变量添加到登录页面内的代码块中,它会检查密码是否正确并且用户是否已登录:
session_start();
// ... (your other code) ...
if ( password_verify($_POST['pw'], $hashed_pwd) ) {
// password verified
$_SESSION['username'] = $_POST["usernam"];
header('Location: home.php');
} else {
echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />';
}
最后,您的logout.php
页面也应该在调用后取消设置该变量:
session_start();
if(isset($_SESSION['username'])) {
unset($_SESSION['username']);
session_destroy();
echo "succesfully logged out!";
header('refresh:5;location:index.php'); // redirect to index.php in 5 seconds
}
else {
echo "you are not logged in!";
}
仅使用session_destroy()
是不够的,因为会话变量在销毁会话后仍以某种方式设置。请参阅PHP's documentation的第一个示例。