doulin6088 2013-01-03 07:14
浏览 89
已采纳

使用Ajax和标头重定向记录错误

I am trying to make something where if a user tries to execute a function in my system when they are not logged in, it will popup a message saying they can't do it because they aren't logged in. They are then sent to the login screen when they press ok.

I also want it to redirect users back to the login screen if they type the url in directly, but this time without an error message.

I have:

$components = explode('/', $url, 3) ;

if(!isset($_SESSION['loggedin']) && $components[0] != 'access' && $components[0] != 'login')
    {

        echo json_encode('{"error": 2000, "msg": "You must be logged in to do that."}') ;
        return false ;
}

Which is fine for Ajax, but wouldn't work if the url was typed in. The $components[0] != 'access' etc is to just stop this condition executing if the user is on the login screen.

How can I do this without the header location effecting the Ajax call and also not simply echoing the error message when the user visits a forbidden url?

  • 写回答

2条回答 默认 最新

  • downloadTemp2014 2013-01-03 12:52
    关注

    How can I do this without the header location effecting the Ajax call and also not simply echoing the error message when the user visits a forbidden url?

    There are multiple ways to achieve this, let's discuss two here:

    Check the referer

    First of all, you could check the HTTP referer, browsers sends the URL of the page which linked to the current page as HTTP header.

    Take a look at this (shortened) HTTP request to http://foo.invalid/blah/?action=newfolder.php, when a user clicks on a form/link.

    Request

    Request URL:http://foo.invalid/blah/?action=newfolder.php
Request Method:POST

    Headers

    Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Host:foo.invalid
Referer:http://foo.invalid/

    You can see that there is the "Referer" field, if a user opens directly http://foo.invalid/blah/?action=newfolder.php, there won't be the referer field.

    Source

    <?php 
if (empty($_SERVER['HTTP_REFERER'])) {
    // Redirect to login (Referer empty)
} else {
    // Show JSON warning (Referer not empty)
}
?>

    However, this solution is not that reliable, as some users disable or fake the referer for privacy reasons.

    Add a custom HTTP header field

    A better way would be to send a custom HTTP header, please note that you can only add custom HTTP headers to AJAX requests. Some libraries like JQuery already add the custom header for you.

    Source (XMLHttpRequest)

    var r = new XMLHttpRequest();
r.open('get', '/blah/?action=newfolder.php');
r.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
r.send(null);

    Now the request will contain the custom X-Requested-With header, if the header is missing you can assume that the page was opened by entering the URL.

    <?php 
if (empty($_SERVER['HTTP_X_REQUESTED_WITH'])) {
    // Redirect to login (X-Requested-With empty)
} else {
    // Show JSON warning (X-Requested-With not empty)
}
?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 metadata提取的PDF元数据,如何转换为一个Excel
  • ¥15 关于arduino编程toCharArray()函数的使用
  • ¥100 vc++混合CEF采用CLR方式编译报错
  • ¥15 coze 的插件输入飞书多维表格 app_token 后一直显示错误,如何解决?
  • ¥15 vite+vue3+plyr播放本地public文件夹下视频无法加载
  • ¥15 c#逐行读取txt文本,但是每一行里面数据之间空格数量不同
  • ¥50 如何openEuler 22.03上安装配置drbd
  • ¥20 ING91680C BLE5.3 芯片怎么实现串口收发数据
  • ¥15 无线连接树莓派,无法执行update,如何解决?(相关搜索:软件下载)
  • ¥15 Windows11, backspace, enter, space键失灵