问题
<?php
session_start();
?>
<!DOCTYPE html>
<html>
<body>
<?php
$user='hassan';
$apple ="6217c55b626e7477b972034993b40a29";
$salt="231**6";
$uname= $_POST["uname"];
$pas= $_POST["psw"];
$token1= hash("ripemd128", '$salt$pas');
if($token1===$apple && $user===$uname)
{
$_SESSION["user"]= $user;
echo $_SESSION["user"];
if ($_SESSION["user"] == $user && $token1===$apple )
{
echo "Welcome ".$_SESSION["user"];
}
?>
<h1>you are logged in</h1>
<form action="inbox.php" class="boxed" style ="border: 4px solid black ; text-align: center; method="post">
<h1><b>Check inbox :</b></h1>
<input type="submit" class="button" value="Inbox" style =" background-color: grey;
border: none;
color: white;
padding: 15px 70px;
margin: 15px 0px;
cursor: pointer;"><br><br>
</form>
<form action="add.php"class="boxed" style ="border: 4px solid black ; text-align: center; method="post">
<h1><b>ADD propert :</b></h1>
<input type="submit" value="ADD" style =" background-color: grey;
border: none;
color: white;
padding: 15px 70px;
margin: 15px 0px;
cursor: pointer;">
</form>
<form action="logout.php" class="boxed" style ="border: 4px solid black ; text-align: center; method="post">
<h1>logout here</h1>
<input type="submit" class="button" value="Logout" style =" background-color: grey;
border: none;
color: white;
padding: 15px 70px;
margin: 15px 0px;
cursor: pointer;">
</form>
<?php
$_SESSION["user"]= "null";
$token=null;
$user=null;
}
else
{
?>
<h1>You entered wrong details please enter again</h1>
<a href="admin.html">try again</a>
<?php
}
?>
</body>
</html>
I am having a problem with logging in and out. The session is maintaining, but it still logs me in with the wrong details. I used both a hash and salt to encrypt the password, then stored it in variable apple. Sorry for my poor indentation; I am new to PHP. After logging in, my script will perform three functions -- all are working, but logout is also failing.
I'm stuck with this, and I need to submit this for a project that's already a day overdue, so any help would be greatly appreciated!
回答1:
You can login with wrong credentials because PHP doesn't expand variables in single quoted strings. You need to use:
hash("ripemd128", "$salt$pas");
or
hash("ripemd128", $salt.$pas);
Simplified example: https://3v4l.org/mu9Pm
ETA logout: Your html contains a button that is linked to a separate script (logout.php). You need to pass the session id to that file (read more here), and destroy the session.
If $_SESSION["user"]= "null";... in the code you posted is supposed to log the user out. It doesn't. I gets executed when a correct pwd is provided and is not connected to the button at all.
After the logout script works you could and should think about CSRF, but I think that's a thought for later.
来源:https://stackoverflow.com/questions/42192146/login-logout-not-working-php-properly