该网站受密码保护,但访问者可以通过将其从 http://www.sitename/directory/login.php 中删除来绕过登录屏幕并直接进入索引页面。 我似乎找不到正确的代码放入索引页面以将未经身份验证的用户重定向回登录.php
<?php
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "index.php";
$MM_redirectLoginFailed = "login.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_name, $name);
$LoginRS__query=sprintf("SELECT memberUser, MemberPass FROM administrators WHERE memberUser=%s AND MemberPass=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $name) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
如何声明一个会话变量,并检查索引页面上是否存在该变量。如果不存在,请重定向到登录页面。
登录.php
<?php
Session_start();
//Successful login
$_SESSION['logged_in']=TRUE;
?>
索引.php
<?php
if(!isset($_SESSION['logged_in'])){
Header('Location: login.php');
}
?>
这样做将确保没有人可以在不首先被定向到登录页面的情况下访问索引页。