首先,我将解释问题所在:
当我登录用户的配置文件时,我可以访问/adminboard/index.php、管理面板本身,反之亦然——当我登录adminboard时,我访问第一个注册用户的配置这让我的网站变得不安全
我想原因是我制定的会话代码。adminboard和用户配置文件具有相同的登录代码。也许我必须更改变量的名称来防止这个错误,但我不知道具体是哪一个
//code in `PHP` of log in forms:
ob_start();
session_start();
include '../includes/config.php';
$password = $_POST['txtPassword'];
$username=$_POST['txtUserName'];
$query = "SELECT * FROM admin WHERE username= '$username';";
mysql_set_charset('utf8');
$result = mysql_query($query);
if(mysql_num_rows($result) == 0) // User not found. So, redirect to login_form again.
{
header('Content-Type: text/html; charset=utf-8');
echo '<script> alert("მონაცემები არ მოიძებნა რადგანარ ხართ დარეგისტრირებული. დარეგისტრირდით პრეტესტზე") </script>';
echo '<script language="JavaScript"> window.location.href ="../register.php" </script>';
}
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
header('Content-Type: text/html; charset=utf-8');
echo '<script> alert("პაროლი არასწორია! '.$password.' , '.$userData['password'].'") </script>';
echo '<script language="JavaScript"> window.location.href ="../login.php" </script>';
}else{// Redirect to home page after successful login.
session_regenerate_id();
$_SESSION['userId'] = $row['id'];
$_SESSION['sess_user_id'] = $userData['id'];
session_write_close();
header("Location: ../adminboard/");}
用户也是如此,但"位置"地址不同
//and here is the user session checker for index.php-s in adminboard and
//Start session
error_reporting(0);
session_start();
//Check whether the session variable SESS_MEMBER_ID is present or not
if(!isset($_SESSION['sess_user_id']) || (trim($_SESSION['sess_user_id']) == '')) {
header("location: ../login.php");
exit();
}
您可以使用session_name('myDummyName')设置会话名称。为前端和后端使用不同的名称。之后两者都将使用不同的会话。请确保在调用session_start() 之前设置会话名称