doubijiao2094 2013-11-10 11:50
浏览 146

我的方法验证用户登录的安全性如何?

I am creating a directory for local businesses in my town. I am allowing each business to create a profile on the site where they can upload contact info, photos, their location on a Google map, etc.

I have a good knowledge of php but I wouldn't be anywhere near industry standard.

I'm just looking for some advice on authenticating that the business is logged in on the admin pages. The way I have it at the moment is that when their username and password have been verified I create a session for them: 

$_SESSION['session_businessid']

This is basically just a session with their business ID that is taken fem the businesses table in the mySQL database.

Then on each page that requires the business to be logged in I include a php file called verify_logged_in.php which contains the following code:

<?php
session_start();

if ($_SESSION['session_businessid'])
{
    $BusinessID = $_SESSION['session_businessid'];
}
else
    header ("location: /admin/login.php");
?>

I'm just wondering how secure/unsecure this method is and if there's any better way of doing it?

  • 写回答

1条回答 默认 最新

  • duanmei1536 2013-11-10 12:04
    关注

    This is not secure enough as you are store session variables in default php sessions. You must use secure sessions in order to protect the information being hacked or misused by session hijacking, XSS attack, etc. You may use the following link to guide you on how to create secure php sessions- Create-a-Secure-Session-Managment-System-in-Php-and-Mysql.

    Alternatively, if you want a simpler but a less secure session, then you can use the following code:

    sessions.php:

    function sec_session_start() {
        $session_name = 'sec_session_id'; // Set a custom session name
        $secure = false; // Set to true if using https.
        $httponly = true; // This stops javascript being able to access the session id. 

        ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. 
        $cookieParams = session_get_cookie_params(); // Gets current cookies params.
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
        session_name($session_name); // Sets the session name to the one set above.
        session_start(); // Start the php session
        session_regenerate_id(); // regenerated the session, delete the old one.

    anypage.php:

    include 'sessions.php';
sec_session_start();
//rest of the code.

    Also, the methods you are using for login will make a difference in the security of the stored information of the businesses.

    评论

报告相同问题?

悬赏问题

  • ¥20 数学建模,尽量用matlab回答,论文格式
  • ¥15 昨天挂载了一下u盘,然后拔了
  • ¥30 win from 窗口最大最小化,控件放大缩小,闪烁问题
  • ¥20 易康econgnition精度验证
  • ¥15 msix packaging tool打包问题
  • ¥28 微信小程序开发页面布局没问题,真机调试的时候页面布局就乱了
  • ¥15 python的qt5界面
  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能