我班上有一个网站作业,我遇到了一些麻烦。当用户使用直接链接访问受保护的页面时,他们仍然可以访问该页面。但是,如果他们用不正确的凭据登录到主页,它不会将他们引导到受保护的页面。如何防止我的网页被直接连结进入?
索引页是登录页,当人们登录时,它将进行身份验证并指向protected_page.php但如果我在网页浏览器中输入:http://localhost/protected_page.php,它仍然会引导我通过。我如何阻止或重定向?
如果有帮助,我可以发布一些源代码…
<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
if (login_check($mysqli) == true) {
$logged = 'in';
} else {
$logged = 'out';
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html;charset=ISO-8859-1" />
<link rel="stylesheet" href="style.css" type="text/css" />
<title>Login</title>
<script type="text/JavaScript" src="js/sha512.js"></script>
<script type="text/JavaScript" src="js/forms.js"></script>
</head>
<body>
<?php
if (isset($_GET['error'])) {
echo '<p class="error">Error Logging In!</p>';
}
?>
<form action="includes/process_login.php" method="post" name="login_form">
<p>Usuario:</p>
<p>
<input type="text" name="email" />
</p>
<p>Contrasena:</p>
<p>
<input type="password"
name="password"
id="password"/>
<input type="button"
value="Aceptar"
onclick="formhash(this.form, this.form.password);" />
</p>
</form>
<?
<?php
if (login_check($mysqli) == true) {
echo '<p>Currently logged ' . $logged . ' as ' . htmlentities($_SESSION['username']) . '.</p>';
echo '<p>Do you want to change user? <a href="includes/logout.php">Log out</a>.</p>';
} else {
echo '<p>Currently logged ' . $logged . '.</p>';
echo "<p>If you don't have a login, please <a href='register.php'>register</a></p>";
}
?>
这是index。php
这里是protected_page.php
<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
?>
<?php if (login_check($mysqli) == true) : ?>
</h2>
<p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
<p>Return to <a href="index.php">login page</a></p>
<?php else : ?>
<p> <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login</a>. </p>
<?php endif; ?>
<br />
我只关注protected_page.php,因为您不希望使用直接链接访问它。
<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
if(!isset($_SESSION['username'])) {
header("Location: index.php");
}
?>
<?php if (login_check($mysqli) == true) : ?>
</h2>
<p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
<p>Return to <a href="index.php">login page</a></p>
<?php else : ?>
<p> <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login</a>. </p>
<?php endif; ?>
<br />
我在上面添加的代码是:
if(!isset($_SESSION['username'])) {
header("Location: index.php");
}
这意味着如果$_SESSION['username']没有设置,那么它将重定向到index.php(这是header("Location: index.php")的工作)。顺便说一下,$_SESSION['username']只会在有人登录时设置。
检查$_SESSION
变量,如果它无效(或者您定义了一个有效的会话),则使用下面的方法。
PHP中的header()
方法允许您重定向用户:
<?php
header("Location: http://www.yourRedirect.com/"); /* Redirect browser */
/* Make sure that code below does not get executed when we redirect. */
exit;
?>
在你的例子中,
<?php if (login_check($mysqli)) : ?>
</h2>
<p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
<p>Return to <a href="index.php">login page</a></p>
<?php else : ?>
<?php header("Location: errorPageLocation");
<?php endif; ?>
<br />
你应该使用会话标识符
if (login_check($mysqli) == true) {
$_SESSION['logged_in'] = 'logged_in' ;
}
then in protected_page.php
if(isset($_SESSION['logged_in'])){
echo "</h2>
<p>Welcome <?php echo htmlentities($_SESSION['logged_in'], ENT_QUOTES, 'UTF-8'); ?>!</p>
<p>Return to <a href="index.php">login page</a></p>" ;
} else {
//redirect the user
header('Location:index.php');
exit();
}