PHP - 拒绝访问页面不起作用

Question

我有一个简单的登录/注销脚本，您应该无法直接访问我称为“success.php”的特定页面。我不知道这是否是某个地方的拼写错误，或者我的会话是否无法正常工作。

index.php

<?php

// Start the session
session_start();

// Defines username and password. Retrieve however you like,
$username = "user";
$password = "pw";

// Error message
$error = "";

// Checks to see if the user is already logged in. If so, refirect to correct page.
if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == true) {
    $error = "success";
    header('Location: success.php');
} 

// Checks to see if the username and password have been entered.
// If so and are equal to the username and password defined above, log them in.
if (isset($_POST['username']) && isset($_POST['password'])) {
    if ($_POST['username'] == $username && $_POST['password'] == $password) {
        $_SESSION['loggedIn'] = true;
        setcookie('userName', $_POST['username'], time()+3600); // Expiring after 2 hours
        header('Location: success.php');
    } else {
        $_SESSION['loggedIn'] = false;
        $error = "<p style='color:red;font-size:11px;'>Invalid username and/or password!</p>";
    }
}

<div class="col-md-3 col-lg-2 col-sm-6 col-xs-6">
    <div class="form-login">
        <form method="post" action="index.php">
        <h4 style="color: #FFF;">S-Files</h4>
        <input type="text" name="username" class="form-control" placeholder="username" maxlength="40" autofocus required />
        <br />
        <input id="password" type="password" name="password" class="form-control" placeholder="password" maxlength="15" required />
        <br />
        <div class="wrapper">
            <span class="group-btn">
                <button type="submit" name="submit" class="btn btn-primary btn-md">login <i class="fa fa-sign-in" ></i></button>
            </span>
        </div>
        </form>
        <!-- Output error message if any -->
    <?php echo $error; ?>
    </div>
</div>

成功.php

<?php
// Start the session
session_start();
// ob_start();

// Check to see if actually logged in. If not, redirect to login page
if (!isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == false && !isset($_COOKIE['userName'])) 
{
    header('Location: index.php');
}

注销.php

<?php
session_start();
$_SESSION['loggedIn'] = false;
unset($_SESSION);

// Delete cookie
if (isset($_COOKIE['userName'])) 
{
unset($_COOKIE['userName']);
    setcookie('userName', '', time() - 3600); // empty value and old 
timestamp
}

// Unset all of the session variables. 
$_SESSION = array(); 

// If it's desired to kill the session, also delete the session cookie. 
// Note: This will destroy the session, and not just the session data! 
if (ini_get("session.use_cookies")) { 
    $params = session_get_cookie_params(); 
    setcookie(session_name(), '', time() - 42000, 
        $params["path"], $params["domain"], 
        $params["secure"], $params["httponly"] 
        ); 
} 

// Finally, destroy the session. 
session_destroy(); 
header("Location: index.php");

所以我的问题是用户可以输入 url /success.php 并查看其中的内容而无需登录，我希望他们被重定向到 index.php 如果他们没有经过身份验证。我做错了什么？

Answer 1

我打开错误报告并收到 500 错误：“警告：无法修改标头信息 - 标头已由...在第 3 行发送...blabla...”。我删除了第 3 行的代码并将其粘贴到上面的行中，它可以工作。最小的问题，总是最大的。我想这与它自动添加一些奇怪的隐形符号到那条线或类似的东西有关。 this stack-thread帮了我一大忙！

另外，感谢所有回复！

Answer 2

您的条件是错误的，因为您使用AND 而不是OR 进行会话检查，您不能在“会话需要不存在”和“会话需要设置为”之间组合FALSE"，设置为FALSE 的会话为!isset($_SESSION['loggedIn]) 返回一个false，因此整个条件将是false，并且不会重定向用户。 所以你可以这样改变你的代码：

 session_start();

    if(isset($_SESSION['loggedIn'])
    {
        if($_SESSION['loggedIn'] != true)
        {
            header("location:index.php");
        }
    }
    else
    {
        header("location:index.php");
    }