php - 自动检查登录处理程序上的用户角色,而不是检查每个页面上的会话?
问题描述
我正在尝试向我的网站添加登录信息。我在互联网上搜索示例我发现了两个登录系统
我想使用第二个,这个对我来说看起来更完整。我不是编码员,我需要你的建议。
我确实在每个受保护的页面上使用此代码检查用户角色
if(!$isLoggedIn || $_SESSION["role"] != admin) {
echo "you dont have permissions to access this page";
exit();
}elseif(!$isLoggedIn || $_SESSION["role"] != normal){
echo "you dont have permissions to access this page";
exit();
}elseif(!$isLoggedIn || $_SESSION["role"] != notactive){
echo "you must update your account";
exit();
}
第一个问题。如何将上述代码与 sessionCheck.php 中的 cookie 检查集成
require_once "Auth.php";
require_once "Util.php";
$auth = new Auth();
$util = new Util();
// Get Current date, time
$current_time = time();
$current_date = date("Y-m-d H:i:s", $current_time);
// Set Cookie expiration for 1 month
$cookie_expiration_time = $current_time + (30 * 24 * 60 * 60); // for 1 month
$isLoggedIn = false;
// Check if loggedin session and redirect if session exists
if(!empty($_SESSION["uid"])) {
$isLoggedIn = true;
}
// Check if loggedin session exists
else if(!empty($_COOKIE["member_login"]) && !empty($_COOKIE["random_password"]) && !empty($_COOKIE["random_selector"])) {
// Initiate auth token verification directive to false
$isPasswordVerified = false;
$isSelectorVerified = false;
$isExpiryDateVerified = false;
// Get token for username
$userToken = $auth->getTokenByUsername($_COOKIE["member_login"],0);
// Validate random password cookie with database
if(password_verify($_COOKIE["random_password"], $userToken[0]["password_hash"])) {
$isPasswordVerified = true;
}
// Validate random selector cookie with database
if(password_verify($_COOKIE["random_selector"], $userToken[0]["selector_hash"])) {
$isSelectorVerified = true;
}
// check cookie expiration by date
if($userToken[0]["expiry_date"] >= $current_date) {
$isExpiryDareVerified = true;
}
// Redirect if all cookie based validation retuens true
// Else, mark the token as expired and clear cookies
if(!empty($userToken[0]["id"]) && $isPasswordVerified && $isSelectorVerified && $isExpiryDareVerified) {
$isLoggedIn = true;
} else {
if(!empty($userToken[0]["id"])) {
$auth->markAsExpired($userToken[0]["id"]);
}
// clear cookies
$util->clearAuthCookie();
}
}
第二个问题你推荐我用哪一个?
解决方案
假设$userToken
包含该role
属性,这应该可以工作。
require_once "Auth.php";
require_once "Util.php";
$auth = new Auth();
$util = new Util();
// Get Current date, time
$current_time = time();
$current_date = date("Y-m-d H:i:s", $current_time);
// Set Cookie expiration for 1 month
$cookie_expiration_time = $current_time + (30 * 24 * 60 * 60); // for 1 month
$isLoggedIn = false;
$role = null;
// Check if loggedin session and redirect if session exists
if(!empty($_SESSION["uid"])) {
$isLoggedIn = true;
$role = (isset($_SESSION["role"]) ? $_SESSION["role"] : null);
}
// Check if loggedin session exists
else if(!empty($_COOKIE["member_login"]) && !empty($_COOKIE["random_password"]) && !empty($_COOKIE["random_selector"])) {
// Initiate auth token verification directive to false
$isPasswordVerified = false;
$isSelectorVerified = false;
$isExpiryDateVerified = false;
// Get token for username
$userToken = $auth->getTokenByUsername($_COOKIE["member_login"],0);
// Validate random password cookie with database
if(password_verify($_COOKIE["random_password"], $userToken[0]["password_hash"])) {
$isPasswordVerified = true;
}
// Validate random selector cookie with database
if(password_verify($_COOKIE["random_selector"], $userToken[0]["selector_hash"])) {
$isSelectorVerified = true;
}
// check cookie expiration by date
if($userToken[0]["expiry_date"] >= $current_date) {
$isExpiryDareVerified = true;
}
// Redirect if all cookie based validation retuens true
// Else, mark the token as expired and clear cookies
if(!empty($userToken[0]["id"]) && $isPasswordVerified && $isSelectorVerified && $isExpiryDareVerified) {
$isLoggedIn = true;
$role = (isset($userToken[0]["role"]) ? $userToken[0]["role"] : null);
} else {
if(!empty($userToken[0]["id"])) {
$auth->markAsExpired($userToken[0]["id"]);
}
// clear cookies
$util->clearAuthCookie();
}
}
if (!$isLoggedIn || $role != "admin") {
echo "you dont have permissions to access this page";
exit();
} else if (!$isLoggedIn || $role != "normal") {
echo "you dont have permissions to access this page";
exit();
} else if (!$isLoggedIn || $role != "notactive") {
echo "you must update your account";
exit();
}
推荐阅读
- ruby-on-rails - 如何仅使用基本 STI 类加载 STI 记录?
- javascript - 创建 javascript 对象时,“对象”对象是否只创建一次并被所有内容的 __proto__ 引用?
- r - 宽数据格式作为 Shiny mapview 应用程序的输入 - 需要反应式包装器吗?
- ruby - 系列的第 n 项的总和
- php - 从多维数组项构建唯一的字符串列表
- linux - Matlab 二进制文件在 shell 中不接受其输入值
- python - Python中的条件嵌套循环
- asp.net-core-mvc - 我可以访问其他中间件中的 AuthenticateResult.Fail 异常参数吗?
- java - libGDX : Scrollpane 是 Scrollpane 的子级,并在滚动时在它们之间切换
- scala - foldLeft 迭代的条件终止