如何使用会话使我简单的php / html登录安全? 即注销后无法“返回”应用程序
[英]How to make my simple php/html login secure using Sessions? i.e. Unable to 'back' into application when logged out
问题描述
Currently making a small application on html, which utilises php for user login which is connected to a database. 
当前在html上制作一个小型应用程序,该应用程序使用php进行用户登录并连接到数据库。 User login works as required, users can login, register, logout and relogin as a normal login behaviour should function. 用户登录按要求工作,用户可以登录,注册,注销和重新登录,因为正常的登录行为应该起作用。
However, when a user logs out, they are able to immediately 're-enter' the application by using the browser BACK button, which is an obvious security flaw. 但是,当用户注销时,他们可以使用浏览器的BACK按钮立即“重新输入”应用程序,这是一个明显的安全漏洞。
I am trying to use sessions in creating a solution to the above issue.. any help would be highly appreciated. 我正在尝试使用会话来创建上述问题的解决方案。任何帮助将不胜感激。 My application is currently broken down into the following pages. 我的应用程序当前分为以下几页。
1) login.php (simple username & password entered into a form, form executes logincheck.php 1)login.php(在表单中输入简单的用户名和密码,表单执行logincheck.php
2) logincheck.php (SEE BELOW) 2)logincheck.php(请参阅下文)
<?php
session_start();
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="site.css">
</head>
<body>
<div class="frame">
<div class="headerf"></div>
<div class="contentf">
<h3>Incorrect user credentials.</h3>
<?php
include("info.inc.php");
$comm=@mysql_connect(localhost,$username,$password);
$rs=@mysql_select_db($database) or die( "Unable to select database");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "index.php"
$_SESSION["username"] = $myusername;
$_SESSION["password"] = $mypassword;
header("location:../index.php");
}
else {
echo "Please return to the log-in page.";
}
?>
<form name="form" method="post" action="../login.php"><br>
<td><input type="submit" name="Submit" value="Back"></td>
</div>
</div>
</body>
</html>
3) index.php (if successful login, user is redirected to this page, where they have access to the application and can navigate throughout as normal). 3)index.php(如果成功登录,则用户将被重定向到此页面,在该页面中,他们可以访问应用程序并可以正常浏览整个页面)。
4) logout.php (session is ended, user is redirected to login page) 4)logout.php(会话结束,用户重定向到登录页面)
I currently have session start in the login, and session end in the logout pages. 我当前在登录中具有会话开始,而在注销页面中具有会话结束。 How can i implement a secure form of loggin in ? 如何在中实现安全的登录形式? Have been trying online examples, but to no avail, ie http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions 一直在尝试在线示例,但无济于事,即http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions
My ideal fix would be, instead of a user being able to 'BACK' into the application after logout, they are redirected to the login page again or username and password is prompted for again 我的理想解决方法是,注销后用户不能再“返回”到应用程序中,而是将他们再次重定向到登录页面,或者再次提示输入用户名和密码
any help is highly appreciated! 非常感谢您的帮助!
2 个解决方案
解决方案1
0 2016-03-15 18:40:26
After checking the user's credentials, if the user has a valid username and password you would set a session variable indicating they've successfully been logged in. 检查用户的凭据后,如果用户具有有效的用户名和密码,则可以设置一个会话变量,以指示他们已成功登录。
Example (using a snippet from your logincheck.php script): 示例(使用您的logincheck.php脚本中的代码段):
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "index.php"
$_SESSION["username"] = $myusername;
$_SESSION["password"] = $mypassword;
// set a session variable that is checked for
// at the beginning of any of your secure .php pages
$_SESSION["loggedIn"] = true;
header("location:../index.php");
}
At the very beginning of each of your secure pages check to see if this session variable has been set as a result of logging in. If the session variable is not set, then you simply re-direct the user back to your login.php page. 在每个安全页面的开始处,检查是否由于登录而设置了该会话变量。如果未设置会话变量,则只需将用户重定向到login.php页面。
Example: 例:
<?php
// start session
session_start();
// check for logged in session
if(!$_SESSION['loggedIn'])
{
// user is not logged in
// re-direct user to login.php
header("Location: login.php");
exit;
}
?>
As the other comments mention, I highly recommend moving to either MySQLi or PDO database functions as the mysql_* functions have been deprecated from later versions of PHP. 正如其他评论所述,我强烈建议移至MySQLi或PDO数据库函数,因为更高版本的PHP不推荐使用mysql_ *函数。
解决方案2
0 已采纳 2016-03-15 19:04:56
you need to register the new 'loggedIn' session variable when you retrieve the data from the database or you can also use your existing session variable ie username against the starting of each page instead of adding a new session variable to check the same.... 从数据库检索数据时,您需要注册新的'loggedIn'会话变量,或者您也可以使用现有的会话变量(即用户名)作为每个页面的开头,而不是添加新的会话变量来进行检查... 。
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "index.php"
$_SESSION["username"] = $myusername;
$_SESSION["password"] = $mypassword;
$_SESSION['loggedIn'] = true;
header("location:../index.php");
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.