doulin6088 2013-01-03 07:14
浏览 89
已采纳

使用Ajax和标头重定向记录错误

I am trying to make something where if a user tries to execute a function in my system when they are not logged in, it will popup a message saying they can't do it because they aren't logged in. They are then sent to the login screen when they press ok.

I also want it to redirect users back to the login screen if they type the url in directly, but this time without an error message.

I have:

$components = explode('/', $url, 3) ;

if(!isset($_SESSION['loggedin']) && $components[0] != 'access' && $components[0] != 'login')
    {

        echo json_encode('{"error": 2000, "msg": "You must be logged in to do that."}') ;
        return false ;
}

Which is fine for Ajax, but wouldn't work if the url was typed in. The $components[0] != 'access' etc is to just stop this condition executing if the user is on the login screen.

How can I do this without the header location effecting the Ajax call and also not simply echoing the error message when the user visits a forbidden url?

  • 写回答

2条回答 默认 最新

  • downloadTemp2014 2013-01-03 12:52
    关注

    How can I do this without the header location effecting the Ajax call and also not simply echoing the error message when the user visits a forbidden url?

    There are multiple ways to achieve this, let's discuss two here:

    Check the referer

    First of all, you could check the HTTP referer, browsers sends the URL of the page which linked to the current page as HTTP header.

    Take a look at this (shortened) HTTP request to http://foo.invalid/blah/?action=newfolder.php, when a user clicks on a form/link.

    Request

    Request URL:http://foo.invalid/blah/?action=newfolder.php
    Request Method:POST
    

    Headers

    Content-Type:application/x-www-form-urlencoded; charset=UTF-8
    Host:foo.invalid
    Referer:http://foo.invalid/
    

    You can see that there is the "Referer" field, if a user opens directly http://foo.invalid/blah/?action=newfolder.php, there won't be the referer field.

    Source

    <?php 
    if (empty($_SERVER['HTTP_REFERER'])) {
        // Redirect to login (Referer empty)
    } else {
        // Show JSON warning (Referer not empty)
    }
    ?>
    

    However, this solution is not that reliable, as some users disable or fake the referer for privacy reasons.

    Add a custom HTTP header field

    A better way would be to send a custom HTTP header, please note that you can only add custom HTTP headers to AJAX requests. Some libraries like JQuery already add the custom header for you.

    Source (XMLHttpRequest)

    var r = new XMLHttpRequest();
    r.open('get', '/blah/?action=newfolder.php');
    r.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
    r.send(null);
    

    Now the request will contain the custom X-Requested-With header, if the header is missing you can assume that the page was opened by entering the URL.

    <?php 
    if (empty($_SERVER['HTTP_X_REQUESTED_WITH'])) {
        // Redirect to login (X-Requested-With empty)
    } else {
        // Show JSON warning (X-Requested-With not empty)
    }
    ?>
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 webSocket可以接TCP socket接口吗
  • ¥60 mpi并行出错,CFD++计算
  • ¥15 c#:vsto,powerpoint的外接程序中换主题颜色
  • ¥15 状态机/汽车转向灯/Sateflow
  • ¥15 这个有点复杂 有没有人看看
  • ¥15 用python如何确定子孙元素在父元素中的位置
  • ¥15 obj文件滤除异常高程
  • ¥15 用mathematicas或者matlab计算三重积分
  • ¥15 Loop unrolling的runtime计算
  • ¥100 NVMe-oF的Target端,开启attr_offload后,测试失败。