dongluxin2452 2018-05-28 18:14
浏览 105
已采纳

管理员,教师和学生,如果学生未注销并且您打开了一个新选项卡试图访问管理员,您将绕过登录

I have created a project as that has admin, teacher and student. They all have login forms and redirect to different based on who logged in, thus i have 3 folders student folder, admin folder and teacher folder and afer each one login the page will take them to the appropriate pages in their folders but without destroying the session it redirects user to the contents of admin pages. Personally i think it is because i put 

session_start(); 
if(!isset($_SESSION["username"])){ 
    header("location:index.php?action=login"); 
}

to each page. please help what can i add to make sure that each individual user can access what they are required to access

  • 写回答

1条回答 默认 最新

  • doushang1778 2018-05-29 22:10
    关注

    You have at least 2 issues here:

    1. You assume that opening a new tab should not share the session with other tabs. I don't remember the details on PHP sessions. But, afaik, the state is stored on the server, and it uses some magic such as cookies to figure out what is the session that you are using. Problem is that two different tabs will hardly start a new session. In fact, the only possibility I see is if the session id is passed along with each request as a url or a header - then you can pick the correct session... which is pretty seldom used because use cases where such approach is needed are limited. (tbh, running 2 different sessions in 2 tabs is not a very real scenario). If you really want to run separate sessions on the same machine, you can try to run several incognito windows.
    2. Second, more important issues, is the logic behind your application. Possibility of going to any page, once you have passed a login for any of the users means that the ritual of providing 3 logins into your system is totally useless, since there are no internal checks if the user is having rights to go to one or another page. Proper thing to do, is, once you logged in, to store the role (student, teacher, admin) as a session parameter. Then, on each page you should verify not only that the user name is set, but that stored role matches the role definition needed to view this particular page. If role does not match, then you should handle it appropriately. You may log user out, or display an access error message and provide a link tor redirect to allowed page.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮
  • ¥15 ads仿真结果在圆图上是怎么读数的
  • ¥20 Cotex M3的调试和程序执行方式是什么样的?
  • ¥20 java项目连接sqlserver时报ssl相关错误
  • ¥15 一道python难题3
  • ¥15 牛顿斯科特系数表表示
  • ¥15 arduino 步进电机
  • ¥20 程序进入HardFault_Handler