To protect a Web page with session

In many cases, we have to secure some Web pages. A typical example is the security of the foreground browsing page and the Background admin page. This is also one of the most used page security modes on the WEB. I also encountered this security issue in the development of a small book management system with PHP4. So I thought of the new features of PHP4----session.

Requirements Purpose: The same site, no unauthorized users, general authorized users and power users can see and use different pages.

Implementation: In the page to be protected include different levels of security inspection Touch Board.

Precautions:

1 > To avoid the user browser does not use cookies and can not browse the protected page (session defaults to use the client's cookie).

2 > To prevent permissions from being embezzled. (The default survival period for PHP 4 's session is from the start of sessions to the closing of browsers.) ）

How to use:

1 > code at the front of the page that requires general protection Plus include ("secturity2.php"); It's okay.

2 > Add include ("secturity1.php") to the code at the front of the page where special protection is required; and include ("secturity2.php"); It's okay.

(Assuming all files are in the same folder)

Program code and detailed explanation:

security1.php Special User page protection Touch Board

security2.php General user page Protection Touch Board

login2.php User Landing Page

Let's take a look at the code for login2.php (User login page):

<?php
Session_register ("user"); #增加用户名变数
Session_register ("password"); #增加密码变数
Session_register ("Tmlast"); #增加时间变数
if ($user = = "") {#判断是否是第一次登陆
$error = "chooseyounameandinputthepasswordplease!";
}
$tmLast =date ("U"); #记录登陆时间
if ($user 1)
$user =trim ($user 1); #记录用户名 (Reference user1 variable is why?) Ask readers to think for themselves. ）
$password =trim ($password 1); #记录密码
if ($user 1&& $password 1) {
if ($password 1==888) {#判断登陆密码是否是默认密码888结束 PHP program
$sid = "phpsessid=". session_id (); #保存当前session的ID号
$warning = "Yourpasswordisstillthedefaultpassword888,pleasechangeit.";
Header ("Location:changePassword.php $sid &warning= $warning"); #传递警告参数warning到changePassword. PHP page
Exit (); #立刻结束 PHP Program
}
if (Strtolower ($user) = = "Root") {#判断登陆用户是否是超级用户, you can expand your user
$fileName = "backend_index.php";
}
else{
if (! $fileName) #判断进入登陆页面的上一页是否是受保护页面
$fileName = "index.php";
}
$sid = "phpsessid=". session_id (); #保存当前session的ID号
Header ("Location: $fileName $sid); #登陆成功进入指定页面, passing the ID number of the current session to prevent users from not using cookies and reading session values
Exit (); #立刻结束 PHP Program
}
?>
<title></title>
<linkrel= "stylesheet" href= "Class/style.css" >
<metahttp-equiv= "Content-type" content= "text/html;charset=gb2312" >
<?php
echo "$error"; #显示登陆提示
?>
<formaction= "<?phpecho$PHP_SELF; #提交到当前页?>" method=post>
<P><b>Name:</b>
<?php
Include ("Class/dbclass.inc"); #调用dbclass. Inc, use the same as the Mysql.inc class
$q =newdb_sql; #定义一个新的对象
$q->connect ($Host, $Database, $User, $Password); #连接 MySQL Database
$query = "Selectchrusername,chrfirstname,chrlastname".
"Fromuser".
"Wherechrfirstname!= '".
"Orderbychrfirstname";
$q->query ($query); #执行sql语句
echo "<selectname=user1size=1>";
while ($q->next_record ()) {#从数据库中调出一般用户
if ($user = = $q->f (0)) #判断是否是当前用户
$select = "selected"; #是当前用户则设置为默认值
Else
$select = "";
echo "<optionvalue= '". $q->f (0). "' $select > ".
Ucfirst ($q->f (1)). "". #用户名首字大写
Ucfirst ($q->f (2)). " </option> ";
}
echo "</select>";
?></p>
<P><b>Password:</b><INPUTname=password1type=password></P>
<inputname=tmlasttype=hiddenvalue=<?phpechodate ("U")?>>
<INPUTname=fileNametype=hiddenvalue=<?phpecho$fileName?>>
<p><inputname=submittype=submitvalue= Confirmation ></P>
</form>
security2.php (General user page Protection Touch Board):
<?php
Session_register ("user"); #说明同上
Session_register ("password");
Session_register ("Tmlast");
if ($fileName = = "")
$fileName = $PHP _self; #记录当前页面路径
if ($durtime = = "")
$durtime = 300; #设置 session "Invalid" time
$currtime =date ("U");
if (($currtime-$tmLast) > $durtime) {#判断 session is "invalid"
Session_destroy ();
$error =urlencode ("seesionexpired.loginagainplease!");
Header ("Location:login2.php?filename= $fileName &error= $error &user= $user"); #跳到重新登陆页
Exit ();
}
else{
$tmLast = $currtime; # The session is not "invalid" update the Last "landing" time
}
Include ("Class/dbclass.inc");
$q =newdb_sql;
$q->connect ($Host, $Database, $User, $Password);
$query = "Selectiduserfromuser".
"Wherechrusername= ' $user '".
"Andchrpasswd= ' $password '";
$q->query ($query);
if (! $q->num_rows ()) {#判断是否找到密码匹配的用户
$error =urlencode ("Passwordiswrongornoprivilegeuser.");
Header ("Location:login2.php?filename= $fileName &error= $error &user= $user"); #跳到密码错误登陆页
}
else{
$sid = "phpsessid=". session_id ();
$q->next_record ();
$USERID = $q->f (iduser); #保存通过验证用户的ID号, easy to use later
}
?>

security1.php (Special user page protection Touch Board):

<?php
session_register("user"); #说明同上
$privilege="root,macro,jackie"; #设置超级用户名单列表，用“，”隔开
$pieces=explode(",",$privilege); #取得单个超级用户名单
for($i=0;$i<count($pieces);$i++){
if(strtolower($user)==$pieces[$i]){ #判断是否是超级用户
$hasPrivilege=1;
break; #跳出判断循环
}
}
if(!$hasPrivilege){
if($fileName=="")
$fileName=$PHP_SELF;
$error=urlencode("Youhavenoprivilegetoviewthispage!");
header("Location:login2.php?fileName=$fileName&error=$error&id=$id");
exit(); #跳到无权用户登陆页面
}
?>

The above procedure is reserved by Macro Zeng the full interpretation power.