PHP完全记录用户

时间:2016-12-10 14:47:27

标签: php

我想在用户点击退出链接时将用户注销,但它有效,但存在问题。当我单击注销链接时,用户将退出并转到标题页,但如果单击后退按钮,我将返回上一页而不再登录,这是不安全的。当用户注销时,我希望他们完全注销,重新登录的唯一方法是登录。有人可以帮忙吗?

<?php    
include("connect.php");

//check if form is submitted
if ( $_SERVER['REQUEST_METHOD'] != 'POST' || 
     ! isset($_POST['signin'])) 
{
    // looks like a hack, send to index.php
    header('Location: index.php');
    exit;
}

if (empty($_POST["usernam"])) {
    echo 'fill in username to sign in';
}
if (empty($_POST["pw"])) {
    echo 'fill in password to sign in';
}

$sql = "SELECT pw FROM users WHERE usernam = ?";

$stmt = mysqli_prepare($conn, $sql);
if ( !$stmt ) {
    echo mysqli_error($conn);
    exit;
}

$stmt->bind_param('s', $_POST['pw']);
$stmt->execute();

if ( !$stmt ) {
    echo mysqli_error($conn);
    exit;
}
// we found a row with that username, 
// now we need to check the password is correct

// get the password from the row
$stmt->bind_result($hashed_pwd);
$stmt->fetch();

if ( password_verify($_POST['pw'], $hashed_pwd) ) {
    // password verified
            header('Location: home.php');
} else {
    echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />';
}

?>

logout.php

session_start();
session_destroy();
header('location:index.php');

process2.php(登录):

include("connect.php");

  //check if form is submitted
  if ( $_SERVER['REQUEST_METHOD'] != 'POST' || 
     ! isset($_POST['signin'])) 
   {
    // looks like a hack, send to index.php
    header('Location: index.php');
    exit;
  }

  if (empty($_POST["usernam"])) {
    echo 'fill in username to sign in';
  }
  if (empty($_POST["pw"])) {
    echo 'fill in password to sign in';
   }

  $sql = "SELECT pw FROM users WHERE usernam = ?";

  $stmt = mysqli_prepare($conn, $sql);
  if ( !$stmt ) {
    echo mysqli_error($conn);
    exit;
  }

  $stmt->bind_param('s', $_POST['pw']);
  $stmt->execute();

  if ( !$stmt ) {
    echo mysqli_error($conn);
    exit;
  }
  // we found a row with that username, 
  // now we need to check the password is correct

  // get the password from the row
  $stmt->bind_result($hashed_pwd);
  $stmt->fetch();

  if ( password_verify($_POST['pw'], $hashed_pwd) ) {
    // password verified
            header('Location: home.php');
  } else {
    echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />';
  }

1 个答案:

答案 0 :(得分:1)

在上一页(以及需要登录的所有其他页面)中,您需要添加一个条件,检查用户是否已登录(即,是否设置了用户登录的会话变量)。这将仅在用户登录时显示内容。

让我详细说明一下,并帮助你举个例子:

index.php

session_start();
if(isset($_SESSION['username'])) {
    echo "Welcome to my website! You are logged in.";
    // do stuff...
else {
    header("Location: login.php"); // redirects user to login page if the username session variable is not set
}

home.php和所有其他页面应基于与上述相同的概念:

session_start();
if(isset($_SESSION['username'])) {
    echo "page when user is logged in";
    // do stuff...
else {
    header("Location: login.php");
}

然后你需要将会话变量添加到登录页面内的代码块中,它会检查密码是否正确并且用户是否已登录:

session_start();
// ... (your other code) ...
if ( password_verify($_POST['pw'], $hashed_pwd) ) {
    // password verified
    $_SESSION['username'] = $_POST["usernam"];
    header('Location: home.php');
} else {
    echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />';
}

最后,您的logout.php页面也应该在调用后取消设置该变量:

session_start();
if(isset($_SESSION['username'])) {
    unset($_SESSION['username']);
    session_destroy();
    echo "succesfully logged out!";
    header('refresh:5;location:index.php'); // redirect to index.php in 5 seconds 
}
else {
    echo "you are not logged in!";
}

仅使用session_destroy()是不够的,因为会话变量在销毁会话后仍以某种方式设置。请参阅PHP's documentation的第一个示例。