我真的需要一些帮助。我一生都无法弄清楚为什么会话没有在我的代码中持续存在。我尝试按照我见过的例子进行操作,但没有骰子。如果我单击“主页”链接,它应该保留在同一页面上,但仍保持文件打开状态,因为它仍然应该登录。但是,它只会带我回到登录表单。当我单击地址栏并按 Enter 键时,也会出现同样的情况。我还遇到一个问题,即告诉页面在会话未运行时仅显示表单的代码只会导致页面不断重定向,直到出现错误页面。请帮忙!
<?php
session_start();
//MAKE SOME CONSTANTS
if ($_SERVER['HTTP_HOST'] == 'localhost') {
//PRIVATE
}
else {
//PRIVATE
}
//CONNECT TO DB
function connectToDatabase() {
$conn = mysqli_connect(HOST, USER, PASS, DB);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
return $conn;
}
//CHECK AGAINST USERNAMES AND PASSWORDS IN DB
function checkUserNameAndPassword($username, $password) {
$conn = connectToDatabase();
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = $conn->query($sql);
if ($result->num_rows == 1) {
$_SESSION['granted'] = true;
setcookie('name', $username, time() + 3600);
//NAV BAR
echo '<div class="navbar">';
echo '<a href=".">Home</a>';
echo '<a href="?logout=true">Logout</a>';
echo '</div>';
//SUCCESSFUL FORM
echo '<div class="form">';
echo '<div class="access">';
echo 'ACCESS GRANTED';
echo '</div>';
//READ FILE
$fileContents = file_get_contents("includes/fbi.txt");
$lines = explode('||>><<||', $fileContents);
//TABLE
echo '<div class="table">';
echo '<table>';
echo '<tr>';
echo '<th class="title">Agent</th><th class="title">Code Name</th>';
echo '</tr>';
//LOOP THROUGH FILE
foreach ($lines as $line) {
$pair = explode(',', $line);
$agent = ucfirst($pair[0]);
$codename = ($pair[1]);
//DEALING WITH TWO WORD CODENAMES
if (strpos($codename, ' ') !== false) {
$words = explode(' ', $codename);
foreach ($words as &$word) {
$word = ucfirst($word);
}
$codename = implode(' ', $words);
}
else {
$codename = ucfirst($codename);
}
//INSERT INFO TO TABLE
echo '<tr>';
echo '<td>' . $agent . '</td>';
echo '<td>' . $codename . '</td>';
echo '</tr>';
}
echo '</table>';
echo '</div>';
}
else {
//UNSUCCESSFUL FORM
echo '<div class="form">';
echo '<div class="access">';
echo 'ACCESS DENIED<br>';
echo '</div>';
echo 'Please enter valid credentials.';
echo '<form method="post" name="logIn">';
echo '<input type="text" placeholder="User Name" name="userName"><br><br>';
echo '<input type="password" placeholder="Password" name="password"><br><br>';
echo '<div class="submit">';
echo '<input type="submit" name="sub-button">';
echo '<input type="reset" name="reset-button">';
echo '</div>';
echo '</form>';
echo '</div>';
}
//CLOSE CONNECTION
$conn->close();
}
function isGranted() {
return $_SESSION['granted'];
}
//LOGOUT FUNCTIONALITY
if (isset($_GET['logout']) && $_GET['logout'] == 'true') {
//CLEAR SESSION VARIABLES
$_SESSION = array();
//DESTROY SESSION
session_destroy();
//REDIRECT
header("Location: index.php");
exit;
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['userName']) && isset($_POST['password'])) {
$username = $_POST['userName'];
$password = $_POST['password'];
checkUserNameAndPassword($username, $password);
//$_SESSION['granted'] = true;
//setcookie('name', $username, time() + 3600);
}
}
//if (!isset($_SESSION['granted']) || !$_SESSION['granted']) {
// header("Location: " . $_SERVER['PHP_SELF']);
// exit;
//}
?>
<!doctype html>
<html lang="en">
<head>
<title>Insecure Passwords</title>
<link rel="stylesheet" href="css/style.css" type="text/css">
</head>
<body>
<?php
if ($_SERVER['REQUEST_METHOD'] != 'POST' || (isset($_POST['username']) && isset($_POST['password']) && $result->num_rows != 1)) {
?>
<div class="form">
<form method="post" name="logIn">
<input type="text" placeholder="User Name" name="userName"><br><br>
<input type="password" placeholder="Password" name="password"><br><br>
<div class="submit">
<input type="submit" name="sub-button">
<input type="reset" name="reset-button">
</div>
</form>
</div>
<?php
}
?>
</body>
</html>
我无法弄清楚 $_SESSION['granted'] = true 行或 isGranted 函数可以在哪里解决问题。或者如果这就是问题所在。
使用登录脚本时,要授予用户查看“墙”后面的权限 - 您必须考虑一些事情。
如果安全性很重要(而且应该如此),那么验证对网站的请求的方法应该包含一些代码,以防止用户简单地将 cookie 设置为“Y”来“登录”。也许您向用户提供一个包含哈希值的 cookie,然后后端会检查该哈希值?
设置 $_SESSION 变量,并不一定意味着它会跨页存在(请参阅 $_SESSION 的超时值)。
在数据库中使用明文密码不应该是一件事。您应该对密码 / 进行哈希处理并存储它们,使其不是明文形式。
最后,您的页面似乎使用 POST 值来检测用户是否登录或正在登录。在这种情况下,一旦用户登录,然后刷新页面,页面就会检测到POST 未设置任何内容,并再次请求登录。您可能想检查“name”的 cookie 值或“granted”的 $_SESSION 值,而不是 POST。