使用会话限制对页面的访问时,如何处理用户清除会话?
[英]How do I deal with users clearing sessions when I use sessions to restrict access to pages?
问题描述
I have a page that I restrict access to by checking if a certain session variable is set. 
我有一个页面,可以通过检查是否设置了某个会话变量来限制访问权限。 But then again, users can clear that session variable and now have access to the page. 但是话又说回来,用户可以清除该会话变量,现在可以访问该页面。
What can I do to prevent this? 我该怎么做才能避免这种情况? I am using php 我正在使用php
4 个解决方案
解决方案1
6 已采纳 2010-02-04 00:32:40
...您可以设置谁可以访问该页面的人会话变量,而不是相反?
解决方案2
4 2010-02-04 00:35:13
Deny all, allow some. 全部拒绝,允许一些。
Assume people without a session are not allowed. 假设没有会议的人是不允许的。
解决方案3
3 2010-02-04 00:33:17
通常,用户通常无法自行清除变量(除非您的代码为他们清除了变量),而只能自行删除会话cookie,这会破坏整个会话(现在您可以限制访问权限)。
解决方案4
0 2010-02-04 03:09:15
In a PHP header at the TOP of the various pages you want to restrict access to, you'd put something like the following: 在要限制访问的各个页面的TOP的PHP标头中,您将放置以下内容:
<?php
session_start(); // start the session
if (!isset($_SESSION['allowaccess']) || ($_SESSION['allowaccess'] == FALSE)) {
// if the access token is not present or the token is false, then...
echo "Access denied."
exit();
}
?>
<h1>Super Seekrit Data</h1>
<p>yada yada yada</p>
This way, if the users clear their cookies or log out or whatever, the pages with this type of code will now deny access. 这样,如果用户清除其cookie或注销或执行其他操作,则具有此类代码的页面现在将拒绝访问。 Of course, they might still have a cached copy present on their end and can see the content until such time as the cache expires, but that's another problem to solve. 当然,他们可能仍然会在其末尾看到缓存的副本,并且可以看到内容,直到缓存过期为止,但这是要解决的另一个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.