方法一:
# <?php
# ob_start();
# session_start();
# class CC{
# private $REFURL="http://www.php100.com"; //登陆成功后转换页面
# private $LoginFLAG=false; //登陆成功标志
# private $loginFILE="loginmsg.txt"; //信息文件
# function setFlag($flag){
# $this->loginFLAG=$flag;
# }
# function check(){
# global $_POST;
# if(file_exists($this->loginFILE)&& (time()-filemtime($this->loginFILE))<60){//用户登陆存在而且有效
# $info=file($this->loginFILE);
# $username=trim($info[0]); //已在线的登陆用户名
# $password=trim($info[1]); //已在线密码(可以不保存)
# $ip =trim($info[2]); //已在线IP
# $sid =trim($info[3]); //已在线PORT
# if(strcmp($_SESSION[LoginUser],$username)==0){
# if(strcmp($_SESSION['LoginPw'],$password)==0){
# if(strcmp($_SERVER[REMOTE_ADDR],$ip)==0){
# if(strcmp(session_id(),$sid)==0){
# $this->setFlag(true);
# echo "<h3>您的帐户可以确定是唯一的!</h3>";
# $cf=fopen($this->loginFILE,"a+");
# fputs($cf,"\r\na");
# fclose($cf);
# echo "<meta http-equiv=refresh content=\"10;url=t.php\">";
# //echo "<iframe src=\"t.php\" frameborder=0 width=0 height=0></iframe>";
# }else{
# echo "不允许帐户在局网上同时登陆.. ".$_SERVER[REMOTE_PORT];
# $this->LoginFLAG=false;
# }
# }else{
# echo "不允许使用帐户同时登陆..<br>";
# $this->LoginFLAG=false;
# }
# }else{
# echo "密码错误..<br>";
# $this->LoginFLAG=false;
# }
# }else{
# //这里验证身份如果正确则
# echo "帐户登陆时发生错误!用户名错误<br><pre>";
# }
# }else{
# if(isset($_POST[LoginUser])){
# $_SESSION[LoginUser]=$_POST[LoginUser];
# $_SESSION[LoginPw]=$_POST[LoginPw];
# $fp=fopen($this->loginFILE,"w");
# $msg=$_POST['LoginUser']."\r\n".$_POST['LoginPw']."\r\n".$_SERVER[REMOTE_ADDR]."\r\n".session_id();;
# fputs($fp,$msg);
# fclose($fp);
# }else{
# $outtime=time()-filemtime($this->loginFILE)-60;
# echo "登陆不存在或您已经超时(".$outtime."秒)...";
# }
# }
# }
# function Wfrom(){
# global $_POST;
# if(!file_exists($this->loginFILE) ||(time()-filemtime($this->loginFILE))>60){ //登陆失败
# echo <<<LOGINFORM
# <Form action="$_SERVER[PHP_SELF]" method="post" name="Loginform">
# <table cellpadding=0 border=0>
# <tr><td>
# 用户名:<td><input type="text" name="LoginUser"></span><br>
# <tr><td>密码:<td><input type="password" name="LoginPw"></span><br>
# <tr><td> <td><input type="button" value="
Login "
onclick="if(this.form.LoginUser.length*this.form.LoginPw.length!=0){this.form.submit();}else{return
false;}">
# </table>
# </form>
# LOGINFORM;
# }else{
# echo "已有用户登陆";
# }
# }
# }
# $D=new CC;
# $D->check();
# $D->Wfrom();
# ?>
方法二:
【问题描述】同一用户在同一时间多次登录如果不能检测出来,是危险的。因为,你无法知道是否有其他用户在登录你的账户。如何禁止同一用户多次登录呢?
【解决方案】
(1) 每次登录,身份认证成功后,重新产生一个session_id。
session_regenerate_id();
session_register ("username") ;
(2) 在用户数据库中开一个sessionid字段,重新产生session_id后,都更新该字段。
$sessionid = session_id();
$db = new PDO('sqlite:softToken.db');
$sql = "update userinfo set sessionid ='$sessionid' where username='$username' and passwd='$passwd';";
$query = $db->prepare($sql);
$query->execute();
(3) 建立一个session保存用户名
$_SESSION["username"] = $username;
(4) 利用url重写,传递session_id
$url = "main.php?sid=".session_id();
unset($db);
echo "<font color=blue>登录成功,正在跳转!</font>" ;
header ("Location:$url");
(5) 在需要跳转的页面,起始处加入
main.php
<?php
header('Content-type:text/html; charset=utf-8');
$sessionid = $_GET['sid'];
session_id($sessionid);
session_start ();
$username = $_SESSION["username"];
$db = new PDO('sqlite:softToken.db');
$sql = "select * from userinfo where username='$username' and sessionid='$sessionid';";
$query = $db->prepare($sql);
$query->execute();
$user = $query->fetch(PDO::FETCH_OBJ);
if ($user->username == ""){
session_destroy();
echo "<script language='javascript' type='text/javascript'>" ;
echo "window.location.href = 'index.html';" ;
echo "</script>" ;
exit () ;
}
?>
<html>
<body>
......
</body>
</html>
