How can I deny users access to parts of my Backbon

2019-05-09 22:19发布

站内问答 / PHP
413 3 4

So I've got a Backbone application + web homepage. Right now, if you login to my website, I create a global object with your user details from the database. However, you can still just hit one of the routes in the application directly.

How should I handle users who are not "logged in" and redirect them to a "you must login page"?

Is this a standard operation? Basically, I have a REST url setup that returns just

{ sessionId: [php-session-id-here] }

If they are logged in, it would return something more like this:

{
  sessionId: [php-sess-id],
  userId: [user-id-from-db],
  firstName: [f-name],
  lastName: [l-name]
}

Ideas? Thanks!

3条回答
手持菜刀,她持情操
2楼-- · 2019-05-09 22:46 
<?php 
function IsLoggedIn()
{
    if(isset($_SESSION['id'])) // Change that to what you want
{
    return 1;
}
    else
{ 
    return 0; 
} 
}
?>

Then in your code, you could use something like: if(isLogged()){ header('Location: http://google.com'); }

查看更多
0人赞 添加讨论(0) 举报
劳资没心,怎么记你
3楼-- · 2019-05-09 22:47

What I've done in the past is to include on every page along with jQuery (actually, added to the jQuery file) an extension on the AJAX method to check for a custom code that I send when a user isn't logged in. When that value was seen it redirected the user to the login page regardless of what was going down.

This was because that site had a time out on login, so a user could get logged out while sitting on a page and then the AJAX request would just fail. If you don't have a timeout on the login the odds of ever seeing this issue are slim. Just ignore requests that come from users that aren't logged in.

If you need help coding this, start here: Extending Ajax: Prefilters, Converters, and Transports.

Really shouldn't require anything as complex as pseudo-code:

  1. JS needs to do some AJAX, so JS talks to server
  2. PHP checks for login if needed
  3. If not logged in, send back the abort message (I used a converter to catch a "notLoggedIn" dataType. However this could also be done with a transport, they are just more complex.)
  4. JS sees the abort message and does a window.location redirect rather than return AJAX message.

If you want, you could load a lightbox with a login form and send that via AJAX to PHP where a re-login can take place, if you remember the AJAX attempt that failed you can send it again after login. Then the user doesn't even need to leave the page to log back in.

查看更多
0人赞 添加讨论(0) 举报
等我变得足够好
4楼-- · 2019-05-09 22:58

If you're using jQuery, you can set a global ajaxSetting that allows you to do certain things upon certain http codes. Some pages I read recommend adding to your JSON a url field to point to where to login, but I figure that's just up to you. So the only modifications you'd need to implement what I've mentioned is 1. change the http code to something reasonable like 401 (unauthorized) and implement the http code handler. But I wouldn't call this standard, I'd just say that's what several people have done (including myself).

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)