0

Firefoxを使用してのみログインできるように見えるログインシステムがあります。同じログイン詳細を使用してInternetExplorerとChromeで試しましたが、ログインできません(確認に失敗しました。パスワードが正しくありません。もう一度やり直してください。」 )。

ログインページのコードは次のとおりです。

<body class="ui-state-processing">
<div id="cp-wrapper-div">
<div id="cp-topheader-div" class="ui-widget-header">
    <div id="cp-topheader-content-div">
        <img class="cp-topheader-customer-logo left" alt="Logo" src="images/logo.png" />
        <img class="cp-topheader-marandy-logo right" alt="Powered by CompanyName" src="images/powered_by_compname.png" />
    </div>
</div>
<div class="clear"></div>
<div id="login-page-wrap">
    <div id="login-wrapper" class="ui-corner-all page-div">
        <div id="login-input-wrapper" class="div-row-style">
            <div id="login-title-top" class="centre-div">
                <div id="login-title-icon">
                    <img src="images/padlock.png" alt="Online Booking Login" class="left" />
                </div>
                <div id="login-title-text">
                    <h1 class="drk-grey left">Online Booking Login</h1>
                </div>
            </div>
            <form action="?" method="post" id="frm-useracc-login" name="frm-useracc-login" >
                <div id="login-username-wrap" >
                    <div class="login-input-item left">
                        <div class="div-search-label left">
                            <div id="div-leftheader-wrap">
                                <p class="a-topheader-infotext left"><strong>Username: </strong></p>
                            </div>
                        </div>
                        <div class="login-input-content left div-subrow-style ui-corner-all">
                            <input type="text" tabindex="1" name="txt-username" id="txt-username" class="input-txt-med required addr-search-input txt-username left">
                        </div>
                    </div>
                </div>
                <div id="login-password-wrap" >
                    <div class="login-input-item left">
                        <div class="div-search-label left">
                            <div id="div-leftheader-wrap">
                                <p class="a-topheader-infotext left"><strong>Password: </strong></p>
                            </div>
                        </div>
                        <div class="login-input-content left div-subrow-style ui-corner-all">
                            <input type="password" tabindex="1" name="txt-password" id="txt-password" class="input-txt-med required addr-search-input txt-password left">
                        </div>
                    </div>
                </div>
                <div id="login-btn-bottom" class="centre-div">
                    <div id="login-btn-right">
                        <button name="btn-login" id="btn-login" class="btn-med ui-button ui-state-default ui-button-text-only ui-corner-all btn-hover-anim btn-row-wrapper left">Login</button>
                        <button name="btn-cancel" id="btn-cancel" class="btn-med ui-button ui-state-default ui-button-text-only ui-corner-all btn-hover-anim btn-row-wrapper left">Cancel</button><br /><br />
                    </div>
                </div>
            </form>
        </div>
        <p id="login-status" class="fail-text"><strong><? echo $_SESSION['login-status']; ?></strong></p>
    </div>
</div>

そしてこれは私のsession.controller.phpです:

<?php

require_once("controllers/server.filter.php");
require_once('models/server.php');
require_once("models/useraccount.php");
require_once("models/sql.php");

class SessionController {

private static $login_status;
private static $redirect_url;
public static $form_action;

## Getters ##

private static function get_loginstatus() {return self::$login_status;}

## Setters ##

private static function set_loginstatus($in_str) {self::$login_status = $in_str;}

## Functions ##

public static function validate_user() {

    UserAccount::set_username($_REQUEST['txt-username']);
    UserAccount::set_password($_REQUEST['txt-password']);

    $pdo = new SQL();
    $dbh = $pdo->connect(Database::$serverIP, Database::$serverPort, Database::$dbName, Database::$user, Database::$pass);

    try {

        // Does user exist?
        $query = "SELECT COUNT(UserName) FROM tblusers WHERE UserName = :in_username";

        $stmt = $dbh->prepare($query);

        $param = Filter::san_str_html(UserAccount::get_username());

        $stmt->bindParam(':in_username', $param, PDO::PARAM_STR);

        $stmt->execute();

        $number_of_rows = $stmt->fetchColumn();

        $stmt->closeCursor();



        if ($number_of_rows <= 0) {

            self::set_loginstatus("The user does not exist in our database, please try again.");
            $_SESSION['login-status'] = self::get_loginstatus();
            self::redirect(false);

        } else {

            // User verified, check password...
            self::verify_password();

        }

    }

    catch (PDOException $pe) {
        die("Error: " .$pe->getMessage());
    }

    $pdo = null;

}

private static function verify_password() {

    $pdo = new SQL();
    $dbh = $pdo->connect(Database::$serverIP, Database::$serverPort, Database::$dbName, Database::$user, Database::$pass);

    try {

        // Does the password given match the password held?
        $query = "SELECT COUNT(*) FROM tblusers WHERE UserName = :in_username AND Password = :in_password";

        $stmt = $dbh->prepare($query);

        $param1 = UserAccount::get_password();
        $param2 = Filter::san_str_html(UserAccount::get_username());

        $stmt->bindParam(':in_username', $param2, PDO::PARAM_STR);
        $stmt->bindParam(':in_password', $param1, PDO::PARAM_STR);

        $stmt->execute();

        $number_of_rows = $stmt->fetchColumn();

    }

    catch (PDOException $pe) {
        die("Error: " .$pe->getMessage());
    }

    $pdo = null;

    if ($number_of_rows == 1) {

        $_SESSION['username'] = UserAccount::get_username();

        // Begin verification..
        self::set_useraccount(true);

    } else {

        self::set_loginstatus("Verification failed! Password incorrect, please try again.");
        $_SESSION['login-status'] = self::get_loginstatus();
        self::redirect(false);

    }

}

private static function verify_account() {

    // Account types: 9 = Disabled, 0 = Normal/Restricted, 1 = Administrative
    if (UserAccount::get_accounttype() == 9) {
        self::set_loginstatus("Verification failed! This account has been disabled."); ## Account disabled
        $_SESSION['login-status'] = self::get_loginstatus();
        self::redirect(false);

    } else

        // User login types: 9 = Disabled, 0 = Normal/Restricted, 1 = Administrative
        if (UserAccount::get_usertype() == 9) {
            self::set_loginstatus("Verification failed! This login has been disabled."); ## User login disabled
            $_SESSION['login-status'] = self::get_loginstatus();
            self::redirect(false);

        } else {

            // Set redirect url here
            if (UserAccount::get_accounttype() == 1) {
                self::$redirect_url = 'controlpanel.php';
            }

            if (UserAccount::get_accounttype() == 0 && UserAccount::get_usertype() == 1) {
                self::$redirect_url = 'controlpanel.php';
            }

            if (UserAccount::get_accounttype() == 0 && UserAccount::get_usertype() == 0) {
                self::$redirect_url = 'newbooking.php';
            }

            // All ok, set user and account properties
            return true;

        }

}

public static function set_useraccount($redirect_bool) {

    // If username session is set...
    if (isset($_SESSION['username'])) {

        UserAccount::set_username($_SESSION['username']);

        // Query Database for the rest of the data
        $pdo = new SQL();
        $dbh = $pdo->connect(Database::$serverIP, Database::$serverPort, Database::$dbName, Database::$user, Database::$pass);

        try {

            $query = "SELECT AccountName
                      FROM tblusers
                      WHERE UserName = :in_username";

            $stmt = $dbh->prepare($query);

            $param1 = UserAccount::get_username();

            $stmt->bindParam(':in_username', $param1, PDO::PARAM_STR);

            $stmt->execute();

            // Parse
            $row = $stmt->fetch(PDO::FETCH_BOTH);

            $stmt->closeCursor();

        }

        catch (PDOException $pe) {
            die("Error: " .$pe->getMessage());
        }

        UserAccount::set_accountname($row['AccountName']);

        try {

            $query = "SELECT a.Id, a.AccountName, a.AccountNumber, a.AccountEmail, a.AccountTel,
                             a.AccountContact, a.AccountType, a.PaymentType, u.UserName,
                             u.FullName, u.UserEmail, u.UserTel, u.UserType
                      FROM tblaccounts a JOIN tblusers u
                      ON a.AccountName = u.AccountName
                      WHERE a.AccountName = :in_accname
                      AND u.UserName = :in_username";

            $stmt = $dbh->prepare($query);

            $param2 = UserAccount::get_accountname();
            $param3 = UserAccount::get_username();

            $stmt->bindParam(':in_accname', $param2, PDO::PARAM_STR);
            $stmt->bindParam(':in_username', $param3, PDO::PARAM_STR);

            $stmt->execute();

            // Parse
            $row = $stmt->fetch(PDO::FETCH_BOTH);

        }

        catch (PDOException $pe) {
            die("Error: " .$pe->getMessage());
        }

        // Set properties and sessions variables
        UserAccount::set_id($row['Id']);
        UserAccount::set_accountname($row['AccountName']);
        UserAccount::set_accountnumber($row['AccountNumber']);
        UserAccount::set_accountemail($row['AccountEmail']);
        UserAccount::set_fullname($row['FullName']);
        UserAccount::set_accounttel($row['AccountTel']);
        UserAccount::set_accountcontact($row['AccountContact']);
        UserAccount::set_accounttype((int)$row['AccountType']);
        UserAccount::set_paymenttype((int)$row['PaymentType']);
        UserAccount::set_useremail($row['UserEmail']);
        UserAccount::set_usertel($row['UserTel']);
        UserAccount::set_usertype((int)$row['UserType']);

        if (self::verify_account()) {

            switch (UserAccount::get_paymenttype()) {
                case 0:
                $_SESSION['ua-paymenttype-asstr'] = 'Credit/Debit Card';
                self::$form_action = 'addressdetails.php';
                break;
                case 1:
                $_SESSION['ua-paymenttype-asstr'] = 'Account';
                self::$form_action = 'makebooking.php';
                break;
                case 2:
                $_SESSION['ua-paymenttype-asstr'] = 'Cash';
                self::$form_action = 'makebooking.php';
                break;
            }

            switch (UserAccount::get_usertype()) {
                case 9:
                $_SESSION['ua-usertype-asstr'] = 'Disabled/Suspended';
                break;
                case 0:
                $_SESSION['ua-usertype-asstr'] = 'Standard';
                break;
                case 1:
                $_SESSION['ua-usertype-asstr'] = 'Account Administrator';
                break;
            }

            switch (UserAccount::get_accounttype()) {
                case 9:
                $_SESSION['ua-accounttype-asstr'] = 'Disabled/Suspended';
                break;
                case 0:
                $_SESSION['ua-accounttype-asstr'] = '  ';
                break;
                case 1:
                $_SESSION['ua-accounttype-asstr'] = '(SA)';
                break;
            }

            // Redirect
            if ($redirect_bool) {
                self::redirect(true);
            }

        }

    } else {

        //self::set_loginstatus("Pre-requisite failure! Browser not supporting cookies!"); **Removed**
        $_SESSION['login-status'] = self::get_loginstatus();

        self::redirect(false);

    }

}

private static function redirect($auth_bool) {

    //parent::set_sessionstate(true); ## Set session to active -- persistance to DB

    //self::$determine_session_type(); ## Set session type --  persistance to DB

    if ($auth_bool == true) {

        $doc_root = $_SERVER['DOCUMENT_ROOT'];
        self::set_loginstatus('');
        $_SESSION['login-status'] = self::get_loginstatus();

        header("Location: ".self::$redirect_url);

    } else {

         header("Location: login.php");

    }

}


}

?>

Anybody got any idea why it only seems to be working in Firefox?

4

1 に答える 1

0

ログイン試行の POST リクエストを検出するコードはどこにありますか?

通常、これは、ボタンまたは送信フィールドの $_POST/$_REQUEST 変数を検出してログイン手順をトリガーしているときに発生します。特にIEは、フォームの残りの部分と一緒にこれを常に投稿するとは限りません.

これを解決する最善の方法は、フォームとともに隠しフィールドを送信することです。

<form method = "post" >

<input type = "text" name = "username" value = "1" />
<input type = "password" name = "password" value = "1" />
<input type = "hidden" name = "login_attempt" value = "1" />

<input type = "submit" value = "submit" name = "submit" />
</form>
<?php

if($isset($_POST['login_attempt'])){


    $User->login();
}

?>

Enterキーを押すか、送信をクリックして、いくつかの大きなブラウザでこのようなフォームを送信してみてください。信頼できない唯一のフィールドは送信です。

于 2012-08-22T12:15:18.927 に答える