HTTP_REFERER 无法与超时脚本一起正常工作?
我遇到了与这个问题类似的问题,但略有不同。
我的结构如下: 用户想要访问的页面类似于displayData.php。这是他们最终应该返回的页面。此页面检查您是否已登录并且会话未过期,如下所示:
if ($_SESSION["loggedIn"] != "YES")
{
header ("Location: ".$baseURL."timeout.php");
exit();
}
在 timeout.php 上,我检查引荐来源网址:
<?php
session_start();
$_SESSION['redirect'] = $_SERVER['HTTP_REFERER'];
$_SESSION["errorMessage"] = "Your session has timed out or<br>you have not logged in correctly.";
header ("Location: index.php");
exit();
?>
用户提交登录表单后出现问题,登录页面检查是否有推荐人。不过,我们已经确定他们拥有正确的登录信息。
if(isset($_SESSION['redirect'])){
header ("Location: ".$_SESSION['redirect']);
}else{
header ("Location: menu.php");
}
我认为从逻辑上讲,当超时页面使用 $_SERVER['HTTP_REFERER']; 设置变量时,它会将其设置为重定向到 timeout.php 的页面,在本例中为 displayData.php 。然而,似乎相反,它将其设置为 displayData.php 的引用者(可以是任何内容,但这不是我们想要将用户发送到的内容)。
这是 HTTP_REFERER 的预期效果吗?如果存在标头重定向,则不更新?如果是这样,那就太糟糕了,我需要重写大约 80 个文件来更改登录/超时系统。我希望有一个更简单的方法。我们本来可以在基于函数的系统中完成此操作,但我们目前正在尝试扩展遗留代码。
非常感谢。
编辑:
这里要更清楚一些。 将其想象为文件夹 /admin/。 displayData.php 是只能通过登录才能访问的许多文件之一(因此我们不知道当检测到他们未登录时他们试图访问哪个特定页面)。当会话过期时(或者根本没有会话),这些页面中的每一个都会重定向到 timeout.php,因此我希望 timeout.php 能够确定之前没有会话访问过的页面,然后保存该信息,以便稍后可以使用它来将用户重定向回他们在我们网站上请求的原始页面。
我想通过 timeout.php 文件来完成此操作的原因是因为有很多文件,就像 displayData.php 一样,如果不需要的话,我不想编辑其中的每一个来改进系统,暂且。
如果这仍然不够清楚,请告诉我。
I have a problem similar to this one, but slightly different.
I have it structured like this:
The page the user wants to go to is something like displayData.php. This is the page they should end up back on. This page checks to see if you are logged in and the session isn't expired like so:
if ($_SESSION["loggedIn"] != "YES")
{
header ("Location: ".$baseURL."timeout.php");
exit();
}
On timeout.php, I check the referrer:
<?php
session_start();
$_SESSION['redirect'] = $_SERVER['HTTP_REFERER'];
$_SESSION["errorMessage"] = "Your session has timed out or<br>you have not logged in correctly.";
header ("Location: index.php");
exit();
?>
The problem arises after the user submits the login form and the login page check to see if there is a referrer. We already determined they have the correct login information, however.
if(isset($_SESSION['redirect'])){
header ("Location: ".$_SESSION['redirect']);
}else{
header ("Location: menu.php");
}
I would think that logically, when the timeout page sets the variable with $_SERVER['HTTP_REFERER'];, it would set it to the page that redirected to timeout.php, in this case displayData.php. However it seems that instead, it sets it to the referrer of displayData.php (which could be anything, but it is not what we want to send the user to).
Is this the intended effect of HTTP_REFERER, to not update if there was a header redirect? If so, that sucks and i need to rewrite about 80 files to change the login/timeout system. I hope there would be an easier way. We would have done this in a function based system, but we are currently trying to extend legacy code.
Thanks much.
Edit:
To be slightly more clear here.
Think of it in a folder, /admin/. displayData.php is one of many files that can be accessed only by logging in (So we don't know what specific page they were trying to access when it detected they weren't logged in). Every one of these pages redirects to timeout.php when the session expires (or if there wasn't a session at all), therefor I want timeout.php to be able to determine the page that was previously accessed without a session, and then save that information so it can be used later to redirect the user back to the original page they requested on our site.
The reason I want to do it through the timeout.php file is because there are many files just like displayData.php, and I don't want to edit every single one of them to improve the system if i don't have to, for the time being.
If this still isn't clear enough, let me know.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
HTTP_REFERER 旨在纯粹提供信息,由浏览器而不是服务器设置。这意味着它可以是空白的或完全是其他东西。它也可以由用户操纵。如果可能的话最好不要依赖它。
为什么不直接在页面重定向到会话检查脚本之前设置
$_SESSION['redirect']呢?就此而言,为什么要重定向呢?您可以在脚本中包含几乎未修改的 timeout.php,并使用$_SERVER['PHP_SELF']变量来确定应设置的$_SESSION['redirect']到。HTTP_REFERER is intended to be purely informational and is set by the browser not the server. This means that it can be blank or something else entirely. It can also be manipulated by the user. It's best not to rely on it if possible.
Why not just set
$_SESSION['redirect']when you're actually on a page before it redirects to the session check script? For that matter why redirect at all? You could include the timeout.php almost unmodified in the script and use the$_SERVER['PHP_SELF']variable to determine what$_SESSION['redirect']should be set to.