如何防止用户绕过php身份验证
[英]How to prevent user from bypassing php authentication
问题描述
We call it html1 for simplicity. 
为了简单起见,我们将其称为html1。
When a user goes to html1, there's a login2.php login page to enable access to client.php which is the hidden page. 当用户转到html1时,会有一个login2.php登录页面,用于访问隐藏页面client.php。
It then goes to checklogin.php...if the password and user name matches...it then goes to the hidden client.php page...if not..it goes back to homepage. 然后,它进入checklogin.php ...如果密码和用户名匹配...然后它进入隐藏的client.php页面...如果不..它返回主页。
The user has to login to be able to view the contents of hidden client.php page. 用户必须登录才能查看隐藏的client.php页面的内容。
However the user can access client.php by typing in ..../client.php on the address bar...therefore bypassing the auth page and rendering it useless. 但是,用户可以通过在地址栏上输入.... / client.php来访问client.php,从而绕过身份验证页面并使其无效。 I can just type servername/client.php...and it still shows me the contents of client.php...but I want client.php...to be private! 我可以只输入servername / client.php ...,它仍然显示client.php的内容...但是我希望client.php ...是私有的!
How do I prevent this from happening? 如何防止这种情况发生?
thanks. 谢谢。
first login page... 第一个登录页面...
<html>
<head>
<title>Login Form</title>
</head>
<body>
<h2>Login Form</h2>
<table>
<form method="post" action="checklogin2.php">
<div id="name">User Id: <input type="text" name="****"></div>
<div id="password">Password: <input type="password" name="*******"></div>
<div class="button"><input type="submit" value="Login"></div>
</form>
</table>
</body>
</html>
then it goes to.... checklogin2.php 然后它就去了...。checklogin2.php
<?php
$*** = $_POST['****'];
$***** = $_POST['***'];
if($uid == '****' and $***** == '*****')
{
session_start();
$_SESSION['sid']=session_id();
header("location:securepage.php");
}
else
{
header("location:index.html");
}
?>
Then it goes to... securepage.php 然后转到... securepage.php
<?php
session_start();
if($_SESSION['sid']==session_id())
{
header("location:client.php");
echo "<a href='logout.php'>Logout</a>";
}
else
{
header("location:login.php");
}
?>
3 个解决方案
解决方案1
3 已采纳 2015-03-17 11:44:05
In the beginning of your every page you have to check if user is authorized. 在每个页面的开头,您必须检查用户是否被授权。
On checklogin.php if user entered correct login and password, just set something like 在checklogin.php如果用户输入正确的登录名和密码,则只需设置以下内容
$_SESSION['authorized'] = TRUE;
...and on other pages just check if user is authorized: ...以及其他页面上,只需检查用户是否获得授权:
if (isset($_SESSION['authorized']) && $_SESSION['authorized'] === TRUE) {
// Alright, let's show all the hidden functionality!
echo "Psst! Hey! Wanna buy some weed?";
} else {
// User is not authorized!
header('Location: login.php');
exit();
}
Note that you don't have to mess with cookies, session IDs etc. - just add session_start() before everything and freely use $_SESSION var. 请注意,您不必弄乱cookie,会话ID等session_start()只需在所有内容之前添加session_start()并自由使用$_SESSION var。
This is the main pro of sessions (and $_SESSION variable in particular): you can remember some data among different pages on same website. 这是会话的主要$_SESSION (尤其是$_SESSION变量):您可以记住同一网站上不同页面之间的一些数据。
解决方案2
2 2015-03-17 11:45:44
All pages has to check if the user is authed. 所有页面都必须检查用户是否已通过身份验证。 I would recommend using objects, and always inherit a class that checks this for you. 我建议使用对象,并始终继承为您检查该类的类。 It's not fun to have the same code everywhere, doing the same thing. 到处都具有相同的代码,执行相同的事情并不是一件有趣的事情。
解决方案3
0 2018-04-27 16:57:52
if($_SERVER["PHP_SELF"] == '/yourpagefolder/yourpage.php' && !isset($_SESSION['login_user'])){
header('location: login.php');
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.