$\会话未在PHP中存储数据
我使用WAMP开发了一个应用程序,效果非常好。和往常一样,当我把它移到服务器上时,它就不工作了 问题是,当我登录时,它意味着将我重定向到相关页面,具体取决于数据库中的admin字段。默认情况下,每个人都会在数据库中接收$\会话未在PHP中存储数据,php,session,Php,Session,我使用WAMP开发了一个应用程序,效果非常好。和往常一样,当我把它移到服务器上时,它就不工作了 问题是,当我登录时,它意味着将我重定向到相关页面,具体取决于数据库中的admin字段。默认情况下,每个人都会在数据库中接收0 这是我的截图login.php <?php // First we execute our common code to connection to the database and start the session require("common.php"); er
0
这是我的截图login.php
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
error_reporting(E_ERROR | E_PARSE);
// This variable will be used to re-display the user's username to them in the
// login form if they fail to enter the correct password. It is initialized here
// to an empty value, which will be shown if the user has not submitted the form.
$submitted_username = '';
$admin = 'false';
// This if statement checks to determine whether the login form has been submitted
// If it has, then the login code is run, otherwise the form is displayed
if (!empty($_POST)) {
// This query retreives the user's information from the database using
// their username.
$query = "
SELECT
id,
username,
password,
salt,
email,
admin,
name,
sso
FROM users
WHERE
username = :username
";
// The parameter values
$query_params = array(
':username' => $_POST['username']
);
try {
// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
} catch (PDOException $ex) {
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.
$login_ok = false;
// Retrieve the user data from the database. If $row is false, then the username
// they entered is not registered.
$row = $stmt->fetch();
if ($row) {
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for ($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $row['salt']);
}
if ($check_password === $row['password']) {
// If they do, then we flip this to true
$login_ok = true;
}
}
// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
if ($login_ok) {
$admin = $row['admin'];
// Here I am preparing to store the $row array into the $_SESSION by
// removing the salt and password values from it. Although $_SESSION is
// stored on the server-side, there is no reason to store sensitive values
// in it unless you have to. Thus, it is best practice to remove these
// sensitive values first.
unset($row['salt']);
unset($row['password']);
// This stores the user's data into the session at the index 'user'.
// We will check this index on the private members-only page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the user's details.
$_SESSION['user'] = $row;
$_SESSION['admin'] = $row;
$_SESSION['name'] = $row;
$_SESSION['sso'] = $row;
ob_start();
// Redirect the user to the private members-only page.
if ($admin == 1) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/outageNotification.php">';
//header("Location: admin.php");
}
if ($admin == 0) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/private2.php">';
}
if ($admin == 2) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/super.php">';
//Below is for Local
// header("Location: super.php");
}
if ($admin == 3) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/outageNotification.php">';
//header("Location: admin.php");
}
if ($admin == 4) {
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/super.php">';
// header("Location:super.php");
}
// die("Now redirecting....");
} else {
// Tell the user they failed
print("Login Failed.");
// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
<html>
<head>
</head>
<body>
<form action="login.php" method="post">
Username:<br/>
<input type="text" name="username" value="<?php echo $submitted_username; ?>"/>
<br/><br/>
Password:<br/>
<input type="password" name="password" value=""/>
<br/><br/>
<input type="submit" class="btn btn-primary btn-lg" role="button" value="Login"/>
</form>
</body>
当我登录时,我被告知我没有查看我的页面的权限。当我对会话执行vardump
时,我看到它是空的:
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// At the top of the page we check to see whether the user is logged in or not
if (empty($_SESSION['user'])) {
// If they are not, we redirect them to the login page.
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/login.php">';
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
if(($_SESSION['user']['admin']==1)||($_SESSION['user']['admin']==2)){
die("you do not have permission to view this page. Please press the back button in your browser.");
}
// Everything below this point in the file is secured by the login system
// We can display the user's username to them by reading it from the session array. Remember that because
// a username is user submitted content we must use htmlentities on it before displaying it to the user.
$con = mysql_connect(", "", "");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
检查session_start()的返回值。如果有什么阻止会话启动,它将返回布尔值false。然后每次检查会话_id()。只要您没有使用session_regenate_id,id值就应该保持不变。如果它正在更改,那么您就遇到了会话cookie问题,每次都会获得一个全新的干净会话。我建议激活错误报告(E_ALL | E_STRICT)来调试以前的任何不明显错误。您不应该提前启动会话吗?具体地说,在发送标题之前,您是正确的。然而,它只给出了一个警告,不应该影响它的工作。
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// At the top of the page we check to see whether the user is logged in or not
if (empty($_SESSION['user'])) {
// If they are not, we redirect them to the login page.
echo '<meta http-equiv="refresh" content="0;url=http://ocat.uat.cse.comfin.ge.com/notifcation%20system/login.php">';
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
if(($_SESSION['user']['admin']==1)||($_SESSION['user']['admin']==2)){
die("you do not have permission to view this page. Please press the back button in your browser.");
}
// Everything below this point in the file is secured by the login system
// We can display the user's username to them by reading it from the session array. Remember that because
// a username is user submitted content we must use htmlentities on it before displaying it to the user.
$con = mysql_connect(", "", "");
if (!$con) {
die('Could not connect: ' . mysql_error());
}