防止用户在注销后通过点击后退按钮重新登录
我正在使用 PHP 登录脚本来询问用户的用户名和密码。密码。
一旦经过身份验证,程序就会存储会话值。注销时,会话值设置为空白。
注销后,我想避免允许用户多次点击后退按钮,并允许查看数据屏幕或意外地重新登录。
我正在使用会话,将经过验证的用户重定向到新页面。我还使用 ob_start、ob_flush 和 ob_end_clean 来防止错误或重定向。
问题: 这真的安全吗? 这是一种常见的方法吗?
除了缓冲还有其他选择吗?
下面是一个小的概念验证。
<?php
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
header("Pragma: public");
session_cache_limiter('nocache');
// I'm not sure how effective any of the above seem to be.
session_start();
// start buffering because if we use header later we want to avoid error
ob_start();
echo "Type <b>in</b> or <b>out</b> to login/logout<br>";
?>
<form action='' method='POST'>
<input type='text' name='status' size='10' value=""><br/><br/>
<p> </p>
<input type='submit' name='Login' value='Login' /></form></p>
<?php
if ($_POST['status'] == 'in')
{
$_SESSION['logged_in'] = 'in';
ob_end_clean(); // clean and erase buffer so far
header('location:test2.php');
exit;
}
if ($_POST['status'] == 'out')
{
$_SESSION['logged_in'] = 'no';
echo "you are logged out <br>";
}
ob_flush(); // push output
echo "login status = " . $_SESSION['logged_in'] ;
?>
file test2.php
<?php
echo "You have logged in";
?>
I am using a PHP login script that challenges user for username & password.
Once authenticated program stores a session value. On logout, session value is set to blanks.
Once logged out I want to avoid allowing user hitting the back button a few times and and betting allowed to see screen of data or accidentaly logging himself back in.
I am using sessions, a re-direct to send validated user to a new page. I am also using ob_start, ob_flush and ob_end_clean to prevent error or re-direct.
Questions:
Is this really secure?
Is this a common approach?
Is there alterternative to buffering?
below is a small proof-of-concept.
<?php
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
header("Pragma: public");
session_cache_limiter('nocache');
// I'm not sure how effective any of the above seem to be.
session_start();
// start buffering because if we use header later we want to avoid error
ob_start();
echo "Type <b>in</b> or <b>out</b> to login/logout<br>";
?>
<form action='' method='POST'>
<input type='text' name='status' size='10' value=""><br/><br/>
<p> </p>
<input type='submit' name='Login' value='Login' /></form></p>
<?php
if ($_POST['status'] == 'in')
{
$_SESSION['logged_in'] = 'in';
ob_end_clean(); // clean and erase buffer so far
header('location:test2.php');
exit;
}
if ($_POST['status'] == 'out')
{
$_SESSION['logged_in'] = 'no';
echo "you are logged out <br>";
}
ob_flush(); // push output
echo "login status = " . $_SESSION['logged_in'] ;
?>
file test2.php
<?php
echo "You have logged in";
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我首先使用
session_destroy()
销毁会话,而不是仅仅将“logged_in”值设置为“no”。然后只需检查会话是否存在,看看用户是否登录。
I would start with destroying the session with
session_destroy()
rather than just set the 'logged_in' value to 'no'.Then just check to see if the session exists to see if the user is logged in.
您需要的是正确的注销方法,而不是测试会话数据。您希望完全擦除会话。下面是一个示例,它记录用户登录和注销用户,并检查用户是否登录。当您单击注销页面时,您将自动注销并重定向。单击返回不会改变任何内容,您仍然无法登录。login.php
homepage.php
logout.php
希望
这有助于为您揭开会话的神秘面纱。
What you need is a proper logout method rather than testing session data. You want the session to be wiped competely. Here is an example that logs the user in and logs the user out and also checks if the user is logged in. When you click the logout page you're automatically logged out and redirected. Clicking back won't change anything you still won't be logged in.
login.php
homepage.php
logout.php
Hope this helps demystify sessions a bit for you.