我对已经发布的内容有问题,但我想我会再次问这个问题,因为我现在有更多的代码。
我用于本教程的原始代码
function checkLoggedIn($page)
{
$loginDiv = '';
$action = '';
if (isset($_POST['action']))
{
$action = stripslashes ($_POST['action']);
}
session_start ();
// Check if we're already logged in, and check session information against cookies
// credentials to protect against session hijacking
if (isset ($_COOKIE['project-name']['userID']) &&
crypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'],
$_COOKIE['project-name']['secondDigest']) ==
$_COOKIE['project-name']['secondDigest'] &&
(!isset ($_COOKIE['project-name']['username']) ||
(isset ($_COOKIE['project-name']['username']) &&
Users::checkCredentials($_COOKIE['project-name']['username'],
$_COOKIE['project-name']['digest']))))
{
// Regenerate the ID to prevent session fixation
session_regenerate_id ();
// Restore the session variables, if they don't exist
if (!isset ($_SESSION['project-name']['userID']))
{
$_SESSION['project-name']['userID'] = $_COOKIE['project-name']['userID'];
}
// Only redirect us if we're not already on a secured page and are not
// receiving a logout request
if (!isSecuredPage ($page) &&
$action != 'logout')
{
header ('Location: ./');
exit;
}
}
else
{
// If we're not already the login page, redirect us to the login page
if ($page != Page::LOGIN)
{
header ('Location: login.php');
exit;
}
}
// If we're not already logged in, check if we're trying to login or logout
if ($page == Page::LOGIN && $action != '')
{
switch ($action)
{
case 'login':
{
$userData = Users::checkCredentials (stripslashes ($_POST['login-username']),
stripslashes ($_POST['password']));
if ($userData[0] != 0)
{
$_SESSION['project-name']['userID'] = $userData[0];
$_SESSION['project-name']['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['project-name']['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
if (isset ($_POST['remember']))
{
// We set a cookie if the user wants to remain logged in after the
// browser is closed
// This will leave the user logged in for 168 hours, or one week
setcookie('project-name[userID]', $userData[0], time () + (3600 * 168));
setcookie('project-name[username]',
$userData[1], time () + (3600 * 168));
setcookie('project-name[digest]', $userData[2], time () + (3600 * 168));
setcookie('project-name[secondDigest]',
DatabaseHelpers::blowfishCrypt($_SERVER['REMOTE_ADDR'] .
$_SERVER['HTTP_USER_AGENT'], 10), time () + (3600 * 168));
}
else
{
setcookie('project-name[userID]', $userData[0], false);
setcookie('project-name[username]', '', false);
setcookie('project-name[digest]', '', false);
setcookie('project-name[secondDigest]',
DatabaseHelpers::blowfishCrypt($_SERVER['REMOTE_ADDR'] .
$_SERVER['HTTP_USER_AGENT'], 10), time () + (3600 * 168));
}
header ('Location: ./');
exit;
}
else
{
$loginDiv = '<div id="login-box" class="error">The username or password ' .
'you entered is incorrect.</div>';
}
break;
}
// Destroy the session if we received a logout or don't know the action received
case 'logout':
default:
{
// Destroy all session and cookie variables
$_SESSION = array ();
setcookie('project-name[userID]', '', time () - (3600 * 168));
setcookie('project-name[username]', '', time () - (3600 * 168));
setcookie('project-name[digest]', '', time () - (3600 * 168));
setcookie('project-name[secondDigest]', '', time () - (3600 * 168));
// Destory the session
session_destroy ();
$loginDiv = '<div id="login-box" class="info">Thank you. Come again!</div>';
break;
}
}
}
return $loginDiv;
}
我的代码:
<?php
function encrypt($input)
{
$hash = password_hash($input, PASSWORD_DEFAULT);
return $hash;
}
function checkUserCreds($username, $password)
{
$id = 0;
$hash = '';
$db = new PDO('$dbDNS', '$dbuser', '$dbpass');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //Set error mode
try
{
$st = $db->prepare("SELECT id, login, email, pass FROM users WHERE login =:username");
$st->bindParam(':username', $username, PDO::PARAM_STR);
$success = $st->execute();
if($success)
{
$userData = $st->fetch();
$hash = $userData['pass'];
if (password_verify($password, $hash) == $hash)
{
$id = $userData['id'];
}
}
}
catch (PDOException $e)
{
$id = 0;
$hash = '';
}
$db = null;
return array ($id, $username, $hash);
}
function checkLoggedIn($page)
{
$loginMess='';
$action='';
if (isset($_POST['action']))
{
$action = stripslashes($_POST['action']);
}
session_start();
//Check if already logged in and check session information against cookies
if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['username']) || (isset ($_COOKIE['sukd']['username']) && checkUserCreds($_COOKIE['sukd']['username'], $_COOKIE['sukd']['hash']))))
{
echo "isset cookies: ON, GOOD <br>";
// Regenerate the ID to prevent session fixation
//session_regenerate_id ();
}
else
{
// If we are not on the login page, redirect.
if ($page != 'login')
{
header ('Location login.php');
exit;
}
}
if ($page = 'login' && $action != '')
{
switch($action)
{
case 'login':
{
$userData = checkUserCreds(stripslashes($_POST['username']), stripslashes($_POST['password']));
if ($userData[0] != 0)
{
$_SESSION['sukd']['id']=$userData[0];
$_SESSION['sukd']['ip']=$_SERVER['REMOTE_ADDR'];
$_SESSION['sukd']['userAgent']=$_SERVER['HTTP_USER_AGENT'];
if(isset($_POST['remember']))
{
//remember for 7 days
setcookie('sukd[id]', $userData[0], time () + (3600 * 168));
setcookie('sukd[username]', $userData[1], time() + (3600 * 168));
setcookie('sukd[hash]', $userData[2], time() + (3600 * 168));
setcookie('sukd[hashv2]', encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']), time () + (3600 * 168));
}
else
{
setcookie('sukd[id]', $userData[0], false);
setcookie('sukd[username]', '', false);
setcookie('sukd[hash]', '', false);
setcookie('sukd[hashv2]', encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']), time () + (3600 * 168));
}
header ('Location: ./');
exit;
}
else
{
$loginMess = "The username or password you entered is incorrect <br>";
}
break;
}
case 'logout':
default:
{
$_SESSION = array();
setcookie('sukd[id]', '', time () + (3600 * 168));
setcookie('sukd[username]', '', time() + (3600 * 168));
setcookie('sukd[hash]', '', time() + (3600 * 168));
setcookie('sukd[hashv2]', '', time () + (3600 * 168));
session_destroy();
$loginMess = "echo 'Successfully logged out <br>'";
break;
}
}
}
return $loginMess;
}
?>
例如,它由checkLogged(login)调用,如果出现问题,它会输出登录消息。此外,它还使用带有操作的隐藏字段来设置机箱切换的值、登录或注销。目前,它可以正常登录,添加cookie等。
但是,问题是,当用户已经登录时,它应该检查代码。
if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR'] etc..
我无法真正理解原始代码,所以我甚至不确定从哪里开始。cookie 数组有点奇怪,它似乎基于两个不同的版本,具体取决于您是设置cookie还是调用cookie。
如果有人有更安全的方法而不过度使用顶级方法,我很高兴有人能在这方面进一步启发我。
我的代码原件。
digest = hash
decondDigest = hashv2
我不会在函数中调用session_start();。如果您在其他任何地方使用 cookie,无论如何您都需要它。先于其他任何事情将其放在第一个文件的开头。
也许使用这个:
if (!isset($_SESSION))
{
session_start();
}
如果有人有更安全的方法而不过度使用顶级方法,我很高兴有人能在这方面进一步启发我。
为什么不改用 _SESSIONs 美元?
使用 cookie 完全是繁琐的,试图使其安全,因此用户无法自己设置某些数据,就像您现在正在战斗的那样。相比之下,我无法在您的服务器上设置 $_SESSION。
然后,在一个非常基本的例子中:
//your login script
//if logged in successful:
$_SESSION['loggedin']['username']=$username; //from DB
$_SESSION['loggedin']['whatever']=$whatever;
//Then your login check just checks the session
if (!isset($_SESSION['loggedin']))
{
//redirect to login page or don't server them user stuff
}
然后,您无需为哈希数据而烦恼,您不希望他们看到等。根据您的安全要求,您可以在会话中检查和设置各种内容。
重要的是,当你检查cookie中的一些细节时,人们可以设置自己的cookie,这意味着你的代码可能只是检查用户设置的cookie,并认为他们已经登录并允许他们访问事物,也许是另一个用户的帐户。
会话虽然不是 100% 安全的,但非常安全,因为存储在服务器上的 Web 根目录,这意味着有人摆弄它们,他们已经在服务器中,设置会话是他们需要做的最后一件事造成破坏。
找出
它不起作用的原因。当我应该使用password_verify时,我正在使用password_hash重新散列。这意味着它每次都会给出不同的答案。