dongluxin2452
2018-05-28 18:14
浏览 101
已采纳

管理员,教师和学生,如果学生未注销并且您打开了一个新选项卡试图访问管理员,您将绕过登录

I have created a project as that has admin, teacher and student. They all have login forms and redirect to different based on who logged in, thus i have 3 folders student folder, admin folder and teacher folder and afer each one login the page will take them to the appropriate pages in their folders but without destroying the session it redirects user to the contents of admin pages. Personally i think it is because i put

session_start(); 
if(!isset($_SESSION["username"])){ 
    header("location:index.php?action=login"); 
} 

to each page. please help what can i add to make sure that each individual user can access what they are required to access

图片转代码服务由CSDN问答提供 功能建议

我创建了一个项目,因为它有管理员,老师和学生。 他们都有登录表单,并根据登录的人重定向到不同的,因此我有3个文件夹学生文件夹,管理员文件夹和教师文件夹,每个登录页面将把他们带到他们的文件夹中的相应页面,但不会破坏会话 它将用户重定向到管理页面的内容。 我个人认为这是因为我把

  session_start();  
if(!isset($ _ SESSION [“username”])){
 header(“location:index.php?action = login”);  
} 
   
 
 

到每个页面。 请帮助我添加什么以确保每个用户都可以访问他们需要访问的内容

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doushang1778 2018-05-29 22:10
    已采纳

    You have at least 2 issues here:

    1. You assume that opening a new tab should not share the session with other tabs. I don't remember the details on PHP sessions. But, afaik, the state is stored on the server, and it uses some magic such as cookies to figure out what is the session that you are using. Problem is that two different tabs will hardly start a new session. In fact, the only possibility I see is if the session id is passed along with each request as a url or a header - then you can pick the correct session... which is pretty seldom used because use cases where such approach is needed are limited. (tbh, running 2 different sessions in 2 tabs is not a very real scenario). If you really want to run separate sessions on the same machine, you can try to run several incognito windows.
    2. Second, more important issues, is the logic behind your application. Possibility of going to any page, once you have passed a login for any of the users means that the ritual of providing 3 logins into your system is totally useless, since there are no internal checks if the user is having rights to go to one or another page. Proper thing to do, is, once you logged in, to store the role (student, teacher, admin) as a session parameter. Then, on each page you should verify not only that the user name is set, but that stored role matches the role definition needed to view this particular page. If role does not match, then you should handle it appropriately. You may log user out, or display an access error message and provide a link tor redirect to allowed page.
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题