如何防止用户使用用户 session_destroy 访问管理页面

Question

I want to prevent logged in users from accessing admin page with their session when they are logged in. they should only be able to log in only with username 'admin'.我想防止登录用户在登录时使用他们的 session 访问管理页面。他们应该只能使用用户名“admin”登录。

   session_start(); 

   if (!isset($_SESSION['username'])) {
      $_SESSION['msg'] = "You must log in first";
      header('location: login.php');
   }

   if (isset($_SESSION['username']) != 'admin') {
      session_destroy();
      unset($_SESSION['username']);
      header("location: login.php");
   }

   if (isset($_GET['logout'])) {
      session_destroy();
      unset($_SESSION['username']);
      header("location: login.php");
   }

Answer 1

if (isset($_SESSION['username'])) {
   if($_SESSION['username'] !== 'admin'){
     session_destroy();
     unset($_SESSION['username']);
     header("location: login.php");
   }

} else {
   $_SESSION['msg'] = "You must log in first";
   header('location: login.php');
}

the isset function would return a boolean value and must not be checked against string. isset function 将返回 boolean 值，不得根据字符串进行检查。

Answer 2

if (isset($_COOKIE[session_name()])) {
            setcookie(session_name(), '', time() - 86400, '/');
}
session_destroy();
header("location: login.php");
exit();

session_destroy() is not enough. session_destroy()是不够的。 you should expire cookie too.你也应该让 cookie 过期。

and always use exit();并始终使用exit(); after header('location=...');在header('location=...');

如何防止用户使用用户 session_destroy 访问管理页面

问题描述

2 个解决方案

解决方案1
0 已采纳 2020-05-15 23:32:07

解决方案2
-1 2020-05-15 23:29:18

如何防止用户使用用户 session_destroy 访问管理页面

问题描述

2 个解决方案

解决方案1 0 已采纳 2020-05-15 23:32:07

解决方案2 -1 2020-05-15 23:29:18

解决方案1
0 已采纳 2020-05-15 23:32:07

解决方案2
-1 2020-05-15 23:29:18