PHP 有没有比使用 header(location) 更好的方法来保护我的页面?
我通过检查会话值来保护我的页面。如果会话无效,除了更改标题位置之外,是否有更安全的方法来保护我的页面???我做的对吗???
我在每页的顶部都有以下内容:
<?php
session_start();
//VERIFY LOGIN
$validkey = 'br1ll1ant)=&';
if ($_SESSION['valid'] != (hash('sha256',$validkey)) && $_SESSION['tokenconfirm'] != hash('sha256',$_SESSION['tokenID'])) {
header("location:/login/");
};
?>
I am protecting my pages by checking the values of my sessions. Is there a more secure way of protecting my pages other than changing the Header Location if the sessions are not valid??? Am I doing anything right???
I have the following at the top of each page:
<?php
session_start();
//VERIFY LOGIN
$validkey = 'br1ll1ant)=&';
if ($_SESSION['valid'] != (hash('sha256',$validkey)) && $_SESSION['tokenconfirm'] != hash('sha256',$_SESSION['tokenID'])) {
header("location:/login/");
};
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
使用
header()没问题,但不要忘记在调用header()后执行exit();脚本。用户代理不必尊重标头,因此可以编写一个客户端,它只需读取标头调用之后的部分。using
header()is fine, but don't forget toexit();your script after callingheader(). User agents don't have to respect headers, so one could write a client which will simply read the part that comes after the header call.您使用模板系统吗?如果是的话,如果用户未经验证,您要做的只是输出登录表单而不是页面内容。即使您没有使用,如果用户无效,您也可以更改输出(例如,不同的包含集)。这样您就不会依赖最终用户的浏览器来保护内容。
Are you using a templating system? If you are, what you'd do is simply output the login form instead of the page content if the user isnt validated. Even if you arent using one, you can change the output (different set of includes, for example), if the user isnt valid. This way you arent relying upon the end user's browser to protect the content.
标题应该没问题,我还没有看到人们使用太多其他东西。
最好先进行身份验证才能访问该页面,然后在每个页面上检查该身份验证。如果失败,则重定向到登录。
使用 MVC 模式,最好在到达页面之前检查登录状态,如果未登录则进行重定向,或者加载登录视图。
Headers should be fine, I haven't seen people use much anything else.
It is always best to authenticate to gain access to the page, and then check that authentication on every page. If it fails, redirect to the login.
Using a MVC pattern, it is best to check the login status before they even get to a page, and either redirect if not logged in, or load the logged in view.
使用前端控制器模式,您可以将所有 php 文件放在 Web 根目录之外。这样就无法通过 URL 直接访问它们。这是 PHP 框架中相当常见的做法,包括使用 Zend“框架”构建的框架。
如果您的文件位于 Web 根目录中,您可能会考虑的另一种方法是使用常量。 CodeIgniter 就是这样做的。在前端控制器中定义一个常量,如果未定义,则将它们发送到 Web 根目录。以下是 CI 使用常量的方法。
随处使用的常量
如何定义。
$system_folder 是上面几行。
Using a front controller pattern you can put all your php files outside the web root. That way they are not directly accessible from a URL. This is fairly common practice in PHP frameworks include those built with Zend 'Framework'.
If your files are in the web root, another method that you might consider is to use constants. This is how CodeIgniter does it. Define a constant in your front controller and if its not defined send them to the web root. Here is how to CI uses constants.
The constant used everywhere
How it is defined.
$system_folder being a few lines above.