简体   繁体   English

用于多页上的用户身份验证的Php会话变量

[英]Php session variables for user authentication on multiple pages

I am creating a content management website with a login page at the back end. 我正在创建一个内容管理网站,后端有一个登录页面。

I have created a working login page for the main menu of the content management system. 我已经为内容管理系统的主菜单创建了一个工作登录页面。

The below images show my code. 下图显示了我的代码。

1st Step - User visits the URL of main menu for content management system: Code shown below . 第1步 - 用户访问内容管理系统主菜单的URL:代码如下所示

<?php
session_start();

echo $_SESSION['valid_user'];

if(!isset($_SESSION['valid_user']))
{
$URL="error.php";
header("Location: $URL");
}
  ?>

Two things can happen. 有两件事可能发生。 1 if they have not logged in before they will be directed to an error page. 如果他们尚未登录,则会将他们定向到错误页面。 They can then select to visit the login page and login using their user name and pswd. 然后,他们可以选择访问登录页面并使用他们的用户名和pswd登录。

i have declared ?php start_session();? 我已声明?php start_session();? at the top 在顶部

<?php

$login = $_POST['name'];
$loginpass =$_POST['password'];

 if((isset($login)) || (isset($loginpass))){

    //echo "<p> form has been submitted</p>";

    include("connect.php");

    $query = "select * from logins where 
        username='$login' and pswd=MD5('$loginpass')";
      $result = mysql_query($query) or die($query."<br/><br/>".mysql_error());

    $count=mysql_num_rows($result);
    echo $count;

if($count > 0){

   echo "<p>you are logged in as $login please 
   go to <a href='home2.php'>edt     home</a>.</p>";
    echo "<p><a href='logout.php'>log out</a> $login?</p>";
    $_SESSION['valid_user'] = $login;

}else{

    echo "<p>sorry login failed</p>";

}

  }else{

    //echo "<p> form  hasn't been submitted</p>";
    //Visitor needs to enter a name and password                
    echo "<h1>Please Log In</h1> <form method='post' action='index2.php'>";
    echo "<p>Username: <input type='text'name='name'></p>";
    echo "<p>Password: <input type='password' name='password'></p>";
    echo "<p><input type='submit' name='submit' value='Log In'></p></form>";        
 }


 ?>

So far all of that functionality works fine for me. 到目前为止,所有这些功能对我来说都很好。

However, I want to make sure that if the user bypasses the home url and decides to jump straight to a section within the edit menu, they will be either forced to login, if they have not already, or, the php will check their credentials if they have logged in. 但是,我想确保如果用户绕过主页并决定直接跳转到编辑菜单中的某个部分,他们将被强制登录,如果他们还没有,或者,php将检查他们的凭据如果他们已经登录

This is an example of the code I have at the top of the page I want to place my validation ont. 这是我在页面顶部的代码示例,我想将验证放在上面。 I'm not sure if already have a database table connection at the top will affect the session variable. 我不确定顶部是否已经有数据库表连接会影响会话变量。

 <?php

include("connect.php");
//echo "all good here";


//grab the data from the table 'designs'
$query ="SELECT * FROM designs ORDER BY id";


//send SQL statement to MySQL server
$display = mysql_query($query);
$num = mysql_numrows($display);


 mysql_close();
 ?>

I know i want to place php scripts on all of the php pages that check the 'vaild_user' session variable is set and also give the user the ability to logout by pointing to the logout.php file. 我知道我想在所有检查'vaild_user'会话变量的php页面上放置php脚本,并通过指向logout.php文件让用户能够注销。 Im just not sure how to go about doing it at this point. 我现在还不确定如何去做。

I am very new to all this and generally understand following a clear guide, like most people I'm sure. 我对这一切都很陌生,一般都遵循一个明确的指南,就像大多数人一样,我敢肯定。

Any help anyone could give would be greatly appreciated 任何人都可以给予任何帮助将不胜感激

Thanks again!. 再次感谢!。

Basically you'd just have something like this snippet on each of your "protected" pages: 基本上你只是在每个“受保护”页面上都有这样的代码片段:

<?php

session_start();
if (!isset($_SESSION['valid_user'])) {
   header("Location: login.php");
   exit();
}
?>
<a href="logout.php">Logout</a>

if they're logged in, they get a logout link and the rest of the page. 如果他们已登录,他们会获得注销链接和页面的其余部分。 If they haven't logged in, they get redirected to the login page. 如果他们尚未登录,则会将其重定向到登录页面。

Sessions are not affected by database connections, or ANY OTHER code. 会话不受数据库连接或任何其他代码的影响。 They ARE affected by having performed output before you start the session, or try to do a redirect. 他们由您开始会议之前,或尝试做一个重定向已经进行输出的影响。 That'd trigger the "cannot modify headers - output started at line XXX" warning and disable the redirect. 这会触发“无法修改标题 - 从第XXX行开始的输出”警告并禁用重定向。

You should only need to validate the user's credentials after they submit their information to the login page. 您只需在将用户的信息提交到登录页面后验证用户的凭据即可。 You can then set a session variable (here it seems you are using $valid_user and if that variable exists, then they have already authenticated. 然后,您可以设置会话变量(这里似乎您使用$valid_user ,如果该变量存在,那么它们已经过身份验证。

You should in fact never be storing their password anywhere on your system for security reasons. 实际上,出于安全原因,您应该永远不会将密码存储在系统的任何位置。 You should be hashing their password input on the login page and then comparing that to the hashed database value. 您应该在登录页面上散列他们的密码输入,然后将其与散列数据库值进行比较。

You can have a user log in more than once for added security (phpbb does this when you move from registered user content to admin content for example) though it not necessary for general purpose security. 您可以让用户多次登录以增加安全性(例如,当您从注册用户内容移至管理内容时,phpbb会执行此操作),尽管通用安全性不需要。

Does that answer your question? 这是否回答你的问题?

在session_start()之后的每个页面顶部使用全局变量

$_SESSION['username'];

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM