PHP将用户完全注销掉

Question

我想在用户点击注销链接时注销用户，但它有效，但存在问题。当我点击注销链接时，用户会注销并转到页眉页面，但如果我点击后退按钮，我会直接返回到上一页面而无需再次登录，这是不安全的。当用户注销时，我希望他们完全注销，重新登录的唯一方法是登录。有人可以帮忙吗？

<?php  
include("connect.php"); 

//check if form is submitted 
if ($_SERVER['REQUEST_METHOD'] != 'POST' || 
    ! isset($_POST['signin'])) 
{ 
    // looks like a hack, send to index.php 
    header('Location: index.php'); 
    exit; 
} 

if (empty($_POST["usernam"])) { 
    echo 'fill in username to sign in'; 
} 
if (empty($_POST["pw"])) { 
    echo 'fill in password to sign in'; 
} 

$sql = "SELECT pw FROM users WHERE usernam = ?"; 

$stmt = mysqli_prepare($conn, $sql); 
if (!$stmt) { 
    echo mysqli_error($conn); 
    exit; 
} 

$stmt->bind_param('s', $_POST['pw']); 
$stmt->execute(); 

if (!$stmt) { 
    echo mysqli_error($conn); 
    exit; 
} 
// we found a row with that username, 
// now we need to check the password is correct 

// get the password from the row 
$stmt->bind_result($hashed_pwd); 
$stmt->fetch(); 

if (password_verify($_POST['pw'], $hashed_pwd)) { 
    // password verified 
      header('Location: home.php'); 
} else { 
    echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />'; 
} 

?> 

logout.php

session_start(); 
session_destroy(); 
header('location:index.php'); 

process2.php（登录）：

include("connect.php"); 

    //check if form is submitted 
    if ($_SERVER['REQUEST_METHOD'] != 'POST' || 
    ! isset($_POST['signin'])) 
    { 
    // looks like a hack, send to index.php 
    header('Location: index.php'); 
    exit; 
    } 

    if (empty($_POST["usernam"])) { 
    echo 'fill in username to sign in'; 
    } 
    if (empty($_POST["pw"])) { 
    echo 'fill in password to sign in'; 
    } 

    $sql = "SELECT pw FROM users WHERE usernam = ?"; 

    $stmt = mysqli_prepare($conn, $sql); 
    if (!$stmt) { 
    echo mysqli_error($conn); 
    exit; 
    } 

    $stmt->bind_param('s', $_POST['pw']); 
    $stmt->execute(); 

    if (!$stmt) { 
    echo mysqli_error($conn); 
    exit; 
    } 
    // we found a row with that username, 
    // now we need to check the password is correct 

    // get the password from the row 
    $stmt->bind_result($hashed_pwd); 
    $stmt->fetch(); 

    if (password_verify($_POST['pw'], $hashed_pwd)) { 
    // password verified 
      header('Location: home.php'); 
    } else { 
    echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />'; 
    } 

Answer 1

在上页（和需要登录的所有其他网页），你需要添加一个条件它检查用户是否已登录（即，如果用户登录的会话变量已设置）。这将显示的内容只有在用户登录

让我解释这一点，并帮助您用一个例子：

index.php

session_start(); 
if(isset($_SESSION['username'])) { 
    echo "Welcome to my website! You are logged in."; 
    // do stuff... 
else { 
    header("Location: login.php"); // redirects user to login page if the username session variable is not set 
} 

home.php和其他的页面应该工作基础在与上述相同的概念：

session_start(); 
if(isset($_SESSION['username'])) { 
    echo "page when user is logged in"; 
    // do stuff... 
else { 
    header("Location: login.php"); 
} 

然后，你需要会话变量添加到代码块登录p内时代里，它会检查，如果密码是正确的并且用户登录：

session_start(); 
// ... (your other code) ... 
if (password_verify($_POST['pw'], $hashed_pwd)) { 
    // password verified 
    $_SESSION['username'] = $_POST["usernam"]; 
    header('Location: home.php'); 
} else { 
    echo 'Incorrect username or Password. <a href= index.php>Try again</a><br />'; 
} 

最后，您logout.php页面应该也未设置变量一度被称为：

session_start(); 
if(isset($_SESSION['username'])) { 
    unset($_SESSION['username']); 
    session_destroy(); 
    echo "succesfully logged out!"; 
    header('refresh:5;location:index.php'); // redirect to index.php in 5 seconds 
} 
else { 
    echo "you are not logged in!"; 
} 

使用session_destroy()仅是不够的会话变量在销毁会话后仍然设置。见PHP's documentation的第一个例子。