PHP: HTTP Basic - Log off

2019-02-17 13:40发布

问题:

I would to set it up where if someone sends in a request "logout" it will automatically take them to a page saying "successful log out". If the customer tries to press the back button or go to the restricted area, it will ask for HTTP auth again.

What I have so far is this:

example.com/restricted/index.php:

<?php   
    session_start();

    if(isset($_GET['logout']))
    {
        unset($_SESSION["login"]);
        header("location: ../logout.php");
        exit;
    }

    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($_SESSION["login"]))
    {

        header("HTTP/1.0 401 Unauthorized");
        header("WWW-authenticate: Basic realm=\"Tets\"");
        header("Content-type: text/html");
        $_SESSION["login"] = true;
        // Print HTML that a password is required
        exit;
    }
?>
// The rest of the page is then displayed like normal

The user successful visits example.com/logout.php if example.com/restricted/index.php?logout is accessed. When the user tries to go back however random things happen, sometimes it will ask for HTTP authentication twice (???) , sometimes it will keep asking for authentication in a loop (?) and sometimes it will let me go right back as if I never logged out.

I am new to how sessions work but my understanding is this: If/when the person is validated, it stores a variable in it's session called login with a value of true... if it every gets a GET request with logout, it will then delete that session variable and go back to logout.php... Why is it then when I click back to the index will it let me back in without asking for authentication, when session[login] is supposedly not set.

Any improvement to this PHP code is appreciated. I know I shouldn't use HTTP Basic and should incorporate SQL, but meh. This is a temporary solution.

Edit: I will accept a solution with MySQL if an example with instructions are included. I have no MySQL or PHP database knowledge (yet)

回答1:

A rough idea to start you:

<?php   
  session_start();

  if( isset( $_GET['logout'] ) )
  {
    session_destroy();
    header('Location: ../logout.php');
    exit;
  }

  if( !isset( $_SESSION['login'] ) )
  {
    if( !isset( $_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) )
    {
      header("HTTP/1.0 401 Unauthorized");
      header("WWW-authenticate: Basic realm=\"Tets\"");
      header("Content-type: text/html");
      // Print HTML that a password is required
      exit;
    }
    else
    {
      // Validate the $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW']
      if( $_SERVER['PHP_AUTH_USER']!='TheUsername'
          || $_SERVER['PHP_AUTH_PW']!='ThePassword' )
      {
        // Invalid: 401 Error & Exit
        header("HTTP/1.0 401 Unauthorized");
        header("WWW-authenticate: Basic realm=\"Tets\"");
        header("Content-type: text/html");
        // Print HTML that a username or password is not valid
        exit;
      }
      else
      {
        // Valid
        $_SESSION['login']=true;
      }
    }
  }
?>
// The rest of the page is then displayed like normal


回答2:

I've found a way around it.

I have 2 files: index.php and logout.php

Here is my 'index.php' code:

# CHECK LOGIN.
if (!isset($_SESSION["loged"])) {
    $_SESSION["loged"] = false;
} else {
    if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) {
        if (($_SERVER['PHP_AUTH_USER'] == L_USER) && (md5($_SERVER['PHP_AUTH_PW']) == L_PASS)) {
            $_SESSION["loged"] = true;
        }
    }
}
if ($_SESSION["loged"] === false) {
    header('WWW-Authenticate: Basic realm="Need authorization"');
    header('HTTP/1.0 401 Unauthorized');
    die('<br /><br />
    <div style="text-align:center;">
       <h1 style="color:gray; margin-top:-30px;">Need authorization</h1>
    </div>');
}

And here is my 'logout.php' code:

session_start();
$_SESSION["loged"] = false; // We can't use unset($_SESSION) when using HTTP_AUTH.
session_destroy();


回答3:

You can use the meta tag http-equiv="refresh" with a very short response time (e.g. content="1"). This refresh will clear any $_POST.

if ( !isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!='myusername' || $_SERVER['PHP_AUTH_PW']!='mypassword' || isset($_POST['logout']) ) {
    header('WWW-Authenticate: Basic realm="My protected area"');
    header('HTTP/1.0 401 Unauthorized');
    echo '<html><head><title>401 Unauthorized</title><meta http-equiv="refresh" content="1"></head><body><h1>401 Unauthorized</h1><p>You are not allowed to see this page. Reload the page to try again.</p></body></html>';
    exit();
} 


标签: php http session