dszn2485 2016-02-09 07:21
浏览 54
已采纳

修改我从WikiHow的安全会话登录脚本中获得的代码

I wanted to implement the secure login script from WikiHow in my project. I have got it working in CodeIgniter. I want to modify it a bit by logging out a user when he closes the browser (unless he checked Remember Me on the login page).

This is the login function (assume every variable is set because the function won't be called unless they are). 

public function login() {
    $error_msg = array();

    // the email and password validation is here
    // if error is found its pushed into the $error_msg array

    // find the user corresponding to the given email address
    $sql = "SELECT user_id, username, password, salt FROM users WHERE email = ? LIMIT 1";
    $query = $this->db->query($sql, $email);
    if ($query) {
        if ($query->num_rows() == 1) {
            $result = $query->row();

            // user is found
            // hash the pass with the salt
            $password = hash('sha512', $password.$result->salt);

            // check for number of tries
            if ($this->check_brute($result->user_id) == TRUE) {
                // account locked for repeated failed login attempts
                $error_msg[] = "<p>Account is locked due to repeated failed login attempts.</p>";
                // return FALSE;
            } else {
                // check password
                if ($password == $result->password) {
                    $user_browser = $this->security->xss_clean($_SERVER['HTTP_USER_AGENT']); // browser
                    $user_id = preg_replace("/[^0-9]+/", "", $result->user_id);
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $result->username);

                    // i want to set the cookie expiry time depending on the
                    // remember me checkbox
                    if ($_POST['remember']) {
                    }

                    // i am guessing somekinda cookie manipulation should
                    // take place here

                    // assign session variables
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password.$user_browser);

                    return TRUE; // login success
                } else {
                    // wrong password input
                    // add activity in database
                    $sql = "INSERT INTO login_attempts (user_id, time) VALUES (?, ?)";
                    $this->db->query($sql, array($result->user_id, time()));
                    $error_msg[] = "<p>ERR PASS: Username/password combination is incorrect.</p>";
                    // return FALSE;
                }
            }
        } else {
            // user doesnt exist
            // return FALSE;
            $error_msg[] = "<p>NO USR: Username/password combination is incorrect.</p>";
        }
    }

    return $error_msg;
}

And this is the code for the session starting:

public function sec_session_start() {
    $session_name = "sec_session_id";
    $secure = FALSE; // dev mode
    $httponly = TRUE;

    if(ini_set('session.use_only_cookies', 1) === FALSE) {
        $error_msg = '<p>Could not initiate a secure session.</p>';
        return $error_msg;
    }

    $cookieParams = session_get_cookie_params();
    session_set_cookie_params(
        $cookieParams['lifetime'],
        $cookieParams['path'],
        $cookieParams['domain'],
        $secure,
        $httponly);

    session_name($session_name);
    session_start();
    session_regenerate_id(TRUE);
    return TRUE;
}

The only place where there is a reference to cookies is in the logout function where it is unset. What should I do to set the cookie expiry time when a user logs in depending on their choice on "Remember me"?

  • 写回答

1条回答 默认 最新

  • dongwubao4785 2016-02-09 14:45
    关注

    I had the same problem using this script and this is the solution that I came up with.

    In your login function, add this code:

    (I am assuming $_POST['remember'] will be = 1 if user wants to be remembered, 0 otherwise)

    if ($_POST['remember']) {
     $_SESSION['remember'] = $_POST['remember'];
}

    Then in the function sec_session_start() add this after session_start():

    ...

session_name($session_name);
session_start();            

if($_SESSION['remember'] == 1){ session_set_cookie_params(60*60*24*60); }

session_regenerate_id(true);  

...

    The lifetime can obviously be changed to suit you. I chose 2 months for this example.

    What this code is effectively doing is setting another session which contains the information as to whether or not the user wants to remembered.

    The cookie is then initially set with the default value that your server has set for session lifetimes, but if the remember session has a value of 1, it changes this to the lifetime you have set.

    I've not extensively tested this so let me know if any issues arise.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 公交车和无人机协同运输
  • ¥15 stm32代码移植没反应
  • ¥15 matlab基于pde算法图像修复,为什么只能对示例图像有效
  • ¥100 连续两帧图像高速减法
  • ¥15 组策略中的计算机配置策略无法下发
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)