开发者

How do I deal with users clearing sessions when I use sessions to restrict access to pages?

I have a page that I restrict access to by checking if a certain session variable is set. But then again, users can clear that session variable and now have access to the page.

What can I 开发者_如何学Pythondo to prevent this? I am using php


...you set the session variable for people who are allowed to access the page, instead of vice-versa?


Deny all, allow some.

Assume people without a session are not allowed.


Well normally users can't clear the variable itsself (unless your code does it for them) but only delete the session cookie itsself, which would destroy the whole session (And now you could restrict access).


In a PHP header at the TOP of the various pages you want to restrict access to, you'd put something like the following:

<?php
   session_start(); // start the session
   if (!isset($_SESSION['allowaccess']) || ($_SESSION['allowaccess'] == FALSE)) {
      // if the access token is not present or the token is false, then...
      echo "Access denied."
      exit();
   }
?>

<h1>Super Seekrit Data</h1>

<p>yada yada yada</p>

This way, if the users clear their cookies or log out or whatever, the pages with this type of code will now deny access. Of course, they might still have a cached copy present on their end and can see the content until such time as the cache expires, but that's another problem to solve.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜