用Session对Web页面进行保护
session|web|页面
在很多时候,我们都要对某些Web 页面进行安全保护。典型的例子就是前台浏览页面与后台管理页面的安全性。这也是 WEB 上用得最多的一种页面安全模式。在用PHP4 开发一个小型的书籍管理系统中,我也遇到了这个安全问题。于是我想到了PHP4 的新特性----Session ..
要求目的:同一站点,无权用户,一般授权用户和超级用户能看到和使用不同的页面。
实现办法:在要保护的页面 include 不同级别的安全检验摸板。
注意事项:
1 > 要避免用户浏览器不使用 cookie 而不能浏览受保护的页面(session 默认使用客户端的 cookie).
2 > 要防止权限被盗用。( PHP 4 的 session 的默认存活期间是从建立 session 开始到关闭浏览器为止。)
如何使用:
1 > 在需要一般保护的页面的代码最前边加上 include ("secturity2.php"); 就行了
2 > 在需要特殊保护的页面的代码最前边加上 include ("secturity1.php"); 和 include ("secturity2.php"); 就行了
(假设所有文件都在同一个文件夹里)
程序代码及详细解释:
security1.php 特殊用户页面保护摸板
security2.php 一般用户页面保护摸板
login2.php 用户登陆页面
我们先来看 login2.php (用户登陆页面)的代码:
session_register("user");#增加用户名变数
session_register("password"); #增加密码变数
session_register("tmLast"); #增加时间变数
if($user==""){#判断是否是第一次登陆
$error="Chooseyounameandinputthepasswordplease!";
}
$tmLast=date("U"); #记录登陆时间
if($user1)
$user=trim($user1); #记录用户名(引用user1变量是为什么?请读者自己思考。)
$password=trim($password1); #记录密码
if($user1&&$password1){
if($password1==888){ #判断登陆密码是否是默认密码888结束 PHP 程式
$sid="PHPSESSID=".session_id(); #保存当前session的ID号
$warning="Yourpasswordisstillthedefaultpassword888,pleasechangeit.";
header("Location:changePassword.php?$sid&warning=$warning"); #传递警告参数warning到changePassword.php 页面
exit(); #立刻结束 PHP 程式
}
if(strtolower($user)=="root"){ #判断登陆用户是否是超级用户,可以自行扩充用户
$fileName="backend_index.php";
}
else{
if(!$fileName) #判断进入登陆页面的上一页是否是受保护页面
$fileName="index.php";
}
$sid="PHPSESSID=".session_id(); #保存当前session的ID号
header("Location:$fileName?$sid); #登陆成功进入指定页面,传递当前session的ID号,防止用户不使用 cookie 而读不到 session 值
exit(); #立刻结束 PHP 程式
}
?>
LoginPage
echo"$error"; #显示登陆提示
?>
Name:
include("class/dbclass.inc"); #调用dbclass.inc类,用法和 mysql.inc 类一样
$q=newDB_Sql; #定义一个新的对象
$q->connect($Host,$Database,$User,$Password); #连接 mysql数据库
$query="selectchrUserName,chrFirstName,chrLastName".
"fromUser".
"wherechrFirstName!=''".
"orderbychrFirstName";
$q->query($query); #执行sql语句
echo"
while($q->next_record()){ #从数据库中调出一般用户
if($user==$q->f(0)) #判断是否是当前用户
$select="selected"; #是当前用户则设置为默认值
else
$select="";
echo"
ucfirst($q->f(1))."". #用户名首字大写
ucfirst($q->f(2))."";
}
echo"";
?>
Password:
security2.php (一般用户页面保护摸板):
session_register("user"); #说明同上
session_register("password");
session_register("tmLast");
if($fileName=="")
$fileName=$PHP_SELF; #记录当前页面路径
if($durtime=="")
$durtime=300; #设置 session “失效”时间
$currtime=date("U");
if(($currtime-$tmLast)>$durtime){ #判断 session是否“失效”
//session_destroy();
$error=urlencode("Seesionexpired.Loginagainplease!");
header("Location:login2.php?fileName=$fileName&error=$error&user=$user"); #跳到重新登陆页
exit();
}
else{
$tmLast=$currtime; # session 没“失效”则更新最后“登陆”时间
}
include("class/dbclass.inc");
$q=newDB_Sql;
$q->connect($Host,$Database,$User,$Password);
$query="selectidUserfromUser".
"wherechrUserName='$user'".
"andchrPasswd='$password'";
$q->query($query);
if(!$q->num_rows()){ #判断是否找到密码匹配的用户
$error=urlencode("PasswordiswrongorNoprivilegeuser.");
header("Location:login2.php?fileName=$fileName&error=$error&user=$user"); #跳到密码错误登陆页
}
else{
$sid="PHPSESSID=".session_id();
$q->next_record();
$USERID=$q->f(idUser); #保存通过验证用户的ID号,方便以后使用
}
?>
security1.php (特殊用户页面保护摸板):
session_register("user"); #说明同上
$privilege="root,macro,jackie"; #设置超级用户名单列表,用“,”隔开
$pieces=explode(",",$privilege); #取得单个超级用户名单
for($i=0;$i
$hasPrivilege=1;
break; #跳出判断循环
}
}
if(!$hasPrivilege){
if($fileName=="")
$fileName=$PHP_SELF;
$error=urlencode("Youhavenoprivilegetoviewthispage!");
header("Location:login2.php?fileName=$fileName&error=$error&id=$id");
exit(); #跳到无权用户登陆页面
}
?>
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1387
52
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases?
Apr 03, 2025 am 12:03 AM
What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.
