使用安全吗? 用户级别管理
[英]Is this safe to use. User level management
问题描述
I use the below code on all my pages after initialising the SESSION data and defining the variable $auth_level. 
在初始化SESSION数据并定义变量$ auth_level之后,我在所有页面上使用以下代码。
I use this to decide what to show users of varying levels. 我用它来决定向不同级别的用户显示什么。
<?php
if($auth_level == 'basic'){
// auth_level basic
if (!isset($_SESSION['username'])) {
header('Location: login.php');
}
} else if ($auth_level == 'admin'){
// auth level admin
if (!isset($_SESSION['username']) || $_SESSION['role'] != 2) {
header('Location: login.php');
}
} else {
// auth level admin assumed for security
if (!isset($_SESSION['username']) || $_SESSION['role'] != 2) {
header('Location: login.php');
}
}
?>
1 个解决方案
解决方案1
1 2014-04-07 11:34:31
This one might help: 这可能会有所帮助:
https://stackoverflow.com/a/1225668/1437605 https://stackoverflow.com/a/1225668/1437605
shortly speaking: you should store some more information in $_SESSION to distinguish clients(like ip etc.) as otherwise, I could obtain your cookie with your sessionId and that could authenticate properly depending on how you get the 'username' and 'role' values. 简而言之:您应该在$ _SESSION中存储更多信息以区分客户端(例如ip等),否则,我可以使用您的sessionId获取cookie,并且可以根据获取“用户名”和“角色”的方式进行正确的身份验证值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.