dowbwrr3590709 2014-10-06 14:08
浏览 151
已采纳

session_start()在每次重新加载时创建新会话

I've read this before:

How to fix “Headers already sent” error in PHP

I have a session page, when I refresh/reload it, it creates a new session id!

<?php

$islogin=0;
$idadmin=0;
session_start();
$sid=session_id();
include("connect.php");
$result=mysql_query("select * from session_noti where sid='$sid'",$cn);


if(mysql_num_rows($result) > 0){
    $row=mysql_fetch_object($result);

    $islogin=$row->islogin;
    $idadmin=$row->idadmin;

}else{
    if(mysql_query("insert into session_noti (sid,islogin) values ('$sid',0);")){
    }else{

    }
}

$user_cookie=@$_COOKIE["*****"];
if($user_cookie != ''){
    $user_cookie_res=mysql_query("select * from session_noti where sid='$user_cookie'");
    $user_cookie_row=mysql_fetch_object($user_cookie_res);  

    $islogin=$user_cookie_row->islogin;
    $idadmin=$user_cookie_row->idadmin;
}
?>

connect page:

<?php
$cn = mysql_connect("localhost","root","");
mysql_select_db("***");
?>

why? It works fine on localhost, when I want to upload it on server,this scenario happens.

  • 写回答

1条回答 默认 最新

  • douxueke5653 2014-10-06 14:39
    关注

    This code seems designed very poorly. Except for the usual "PHP4-style" errors (more on that later), it doesn't really make sense to me.

    1. If you're using PHP's sessions, why do you need to replicate a session table in your database? Y using session_start() you're already telling PHP to handle all that hassle.
    2. Why are you accessing users' cookies directly?

    I recommend that you stick with a design and follow it.
    Do you want to manage sessions yourself, including passing session ids, handling cookies, etc? Then don't PHP's builtin sessions (but be careful: the possibility to write flawed code here is really high).
    Do you want to use PHP's builtin sessions? Then just stick with them.

    If you want to attach to each users details like "isAdmin", you can use session variables: that's what they're made for :)

    <?php
    session_start();
    
    if(empty($_SESSION)) {
        // Redirect to login
    }
    else {
        if(empty($_SESSION['logged_in'])) {
            // Redirect to login
        }
        else {
            // User is logged in
    
            // Is admin?
            if(!empty($_SESSION['is_admin'])) {
                // YES
            }
            else {
                // NO
            }
        }
    }
    ?>
    

    There's plenty of guides and tutorials on using sessions with PHP. For example: http://www.phpro.org/tutorials/Introduction-To-PHP-Sessions.html

    Additionally, make sure that in php.ini sessions are enabled. I strongly recommend to use "cookie_only" sessions: that is, never make PHP pass the session id as GET or POST parameter. That will screw those users with cookies disabled (are there still some?), but will save all the others from being easy targets for session hijacking.

    Thus said... About your "PHP4-style" code:

    1. Don't use mysql_* functions. They're deprecated. Use MySQLi or PDO, and use prepared statements when possible. For example, the line mysql_query("select * from session_noti where sid='$user_cookie'"); is a perfect place for an SQL Injection attack.
    2. Don't use the @ operator. It's bad! Instead, just check if the variable exists with isset() or empty().
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 求一个html代码,有偿
  • ¥100 关于使用MATLAB中copularnd函数的问题
  • ¥20 在虚拟机的pycharm上
  • ¥15 jupyterthemes 设置完毕后没有效果
  • ¥15 matlab图像高斯低通滤波
  • ¥15 针对曲面部件的制孔路径规划,大家有什么思路吗
  • ¥15 钢筋实图交点识别,机器视觉代码
  • ¥15 如何在Linux系统中,但是在window系统上idea里面可以正常运行?(相关搜索:jar包)
  • ¥50 400g qsfp 光模块iphy方案
  • ¥15 两块ADC0804用proteus仿真时,出现异常