我必须访问需要登录的页面。admin.php和rehab.php。登录后,我设置了两个会话变量:
if($row[2]=='Admin'){
// Initializing Session
session_start();
$_SESSION['user']=$username; // Initializing Session user
$_SESSION['dept']='Admin'; // Initializing Session dept.
header('location: admin.php');
}
else if($row[2]=='Rehabilitation Services'){
$_SESSION['user']=$username; // Initializing Session
$_SESSION['dept']='Rehabilitation Services';
header('location: rehab.php');
}
这两个页面都包含header.php(其中可以看到用户名)。我决定将会话验证放在header.php中:
session_start();
if (!(isset($_SESSION['user']) && $_SESSION['user'] != '')) {
header ("Location: login.php");
}
因此,每当有人通过在浏览器中键入(../admin.php)或(../recking.php)来访问管理页面时,它都会被重定向到登录页面。
我的问题是,如果REHAB用户现在登录了。(../recharge.php)每当我试图将REHAB.php更改为admin.php时,它仍然可以访问!我试着把它放在admin.php的顶部,但似乎不起作用。
if ((isset($_SESSION['dept'])) && $_SESSION['dept']!='Admin'){
session_destroy();
}
在rehab.php页面中,如果您想仅限制登录并指定了"康复服务"部门的用户访问,则应使用:
session_start();
if(!isset($_SESSION['user']) ||
(isset($_SESSION['dept']) && $_SESSION['dept']!='Rehabilitation Services')){
header ("Location: login.php");
}
这应该可以工作;我注意到有几件事,就你试图实现的目标而言,你的代码结构是好的:
session_start(); // Have this as the first thing on the script
// at the top before anything else above it
if($row[2]=='Admin'){
// Initializing Session
session_start(); // Remove this; you need to put session_start
// at the top of the script
$_SESSION['user'] = $username; // Is the $username coming in
// from $_POST? Should this be
// $_POST['username'] unless you
// defined it beforehand
$_SESSION['dept'] = "Admin"; // Initializing Session dept.
// This is ok.
header('location: admin.php');
} elseif($row[2] == "Rehabilitation Services"){ //Keep this in one line
$_SESSION['user'] = $username; // Initializing Session
$_SESSION['dept'] = "Rehabilitation Services";
header('location: rehab.php');
}
session_start();
if (!(isset($_SESSION['user']) && $_SESSION['user'] != '')) {
if (!isset($_SESSION['user']) && $_SESSION['user'] != '') {
// corrected line above, you can also use empty() function
header ("Location: login.php");
}
if ((isset($_SESSION['dept'])) && $_SESSION['dept']!='Admin'){
if (isset($_SESSION['dept']) && $_SESSION['dept'] != 'Admin'){
//Corrected line above
session_destroy();
}