I have a resetpwd.php page that is shown when a user's password is reset in the database. How开发者_开发知识库ever, this page can be accessed by users whose password is not reset by manually changing the URL to "/resetpwd.php". How can I prevent this?
It's not really possible to prevent changing the URL, because the HTTP server does not really care if the URL was clicked on a page that you provided to the user, or typed in the browser's location bar.
Instead, add some code to resetpwd.php
to check if the user accessing it is allowed to do so, i.e. if his password is reset in the database. If not, just exit
the script or redirect the user to a different page.
You can't simply prevent people from accessing it by typing in the URL. The best you could do would be to set a flag when a user's password is reset and redirect users whose accounts aren't flagged.
It may be worth considering why you need to "hide" this page from users. For example, you can navigate directly to https://stackoverflow.com/error. Looking at that page doesn't mean an actual server error occurred, but you should be intuitively aware of this if you intentionally type in that URL.
Negative answer is a legitimate answer too. Leave it alone.
Noway. Just leave it alone. there is no reason in preventing access to this page.
depends how the user gets to that page. On a part of mine I had this idea:
if($_SESSION['userid'] != $_GET['id'])
{
//check if user if signed in
if($_SESSION['signed_in'] == true)
{
//unset all variables
$_SESSION['signed_in'] = NULL;
$_SESSION['user_name'] = NULL;
$_SESSION['user_id'] = NULL;
echo 'Error';
}
else
{
echo 'Por favor, log in again. Gracias.';
}
echo '<script type="text/javascript">self.close();</script>';
die();
}
if someone wants to get to this page, which contains private data, I just compare the userid with the session user_id and if they are not equal (an user is trying to get into thru browser side) I log him off and close the window with a javascript line and abort everything else.
精彩评论