douxin8749 2013-09-20 12:49
浏览 31
已采纳

检查针对cookie的会话信息会造成混淆

I have been trying to use some code but to use it a bit more to my purposes. The original code went as follows for the isset but it is SO confusing.

// Check if we're already logged in, and check session information against cookies
// credentials to protect against session hijacking
if (isset ($_COOKIE['project-name']['userID']) &&
   crypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'],
         $_COOKIE['project-name']['secondDigest']) ==
   $_COOKIE['project-name']['secondDigest'] &&
   (!isset ($_COOKIE['project-name']['username']) ||
    (isset ($_COOKIE['project-name']['username']) &&
     Users::checkCredentials($_COOKIE['project-name']['username'],
                             $_COOKIE['project-name']['digest']))))

My current code:

function encrypt($input)
{
    $hash = password_hash($input, PASSWORD_DEFAULT);
    return $hash;
}

function checkUserCreds($username, $password)
{
    //do code at some point
    return $username;
    return $password;
}

function checkLoggedIn($page)
{
    session_start();

    //Check if already logged in and check session information against cookies
    if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['login']) || (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash']))))
     {
      //Some code here.. eventually
     }  
 }

Whilst I have fixed the syntax error, I am genuinely confused by the thing I am trying to copy off.

展开全部

  • 写回答

1条回答 默认 最新

  • dounianji7883 2013-09-20 13:39
    关注
    function encrypt($input)
{
$hash = password_hash($input, PASSWORD_DEFAULT);
return $hash;

    }

    password_hash() creates a new password hash using a strong one-way hashing algorithm.
    calling encrypt($input) will return hashed password

    function checkUserCreds($username, $password)
{
//do code at some point
return $username;
return $password;
}


    calling checkUserCreds($username, $password) will just return what you submitted
    unless you have some code at
    //do code at some point

    function checkLoggedIn($page) { session_start();

    //Check if already logged in and check session information against cookies
if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['login']) || (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'])))
 {
  //Some code here.. eventually
 }

    }

    i tried to breakdown the checkLoggedIn function 

    (1) if (isset($_COOKIE['sukd']['id']) 
(2) && encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] 
(3) && (!isset ($_COOKIE['sukd']['login']) 
|| (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'])))
 {
  //Some code here.. eventually
 } 


 $_SERVER['REMOTE_ADDR'] = visitors IP 
 $_SERVER['HTTP_USER_AGENT'] = visitors browser
 $_COOKIE['sukd']['hashv2'] = your defined cookie( i GUESS to your password )
 $_COOKIE['sukd']['login'] = user defined cookie( i GUESS to check if login )

 (1). you check if $_COOKIE['sukd']['id'] isset and 

 (2). create a password hash by calling encrypt function and compare it to the cookie $_COOKIE['sukd']['hashv2']
 encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2']  
 encrypt is a user defined function where you pass the combination of $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2'] to retrieve password hash

 (3). you check if $_COOKIE['sukd']['login'] exist or
 cookie is set and calls the function that returns 
 $_COOKIE['sukd']['login'](username), $_COOKIE['sukd']['hash'](password)
if any of the 3 fails, it will not proceed


    EDIT
    also, you are comparing 

    $_COOKIE['sukd']['hashv2']

    (if) equal to 

    encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2'])

    that has

    $_COOKIE['sukd']['hashv2']

    which i believe will return false

    also, be careful in number 3
    it will return true if 

    $_COOKIE['sukd']['login'] is not set

    or

    $_COOKIE['sukd']['login'] is set and $_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'] 
will  just return the param(not empty)


    also, make sure you set the cookies before calling checkLoggedIn()
    hope this helps

    展开全部

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

  • PHP会话问题
    2021-02-22 22:23
    解决方法包括检查cookie设置,或使用URL参数传递会话ID(但存在安全风险)。 4. **会话共享**:如果多个浏览器标签页或设备同时使用同一会话,可能导致数据冲突。应确保每个会话只在一个地方活跃,或者对多并发...
  • php页面跳转session cookie丢失导致不能登录等问题的解决方法
    2020-10-20 12:59
    因为PHP在处理session cookie时,先发送HTTP头信息,而浏览器接收到带有BOM的文件时,将其头信息PHP发送的头信息混淆造成cookie无法正常设置。 针对该问题,解决方案是在服务器端去掉包含BOM头的文件。通常...
  • PHP基础-8】Cookie机制详解及Cookie身份认证应用案例
    2022-04-06 03:03
    像风一样9的博客 目录1 Cookie 概述1.1 Cookie 机制1.2 什么是Cookie1.3 Cookie 认证机制1.4 Cookie 属性1.5 Cookie的安全性问题2 Cookie 应用2.1 Cookie 相关操作命令2.2 应用案例实验2.2.1 实验要求2.2.2 实验环境2.2.3 案例代码...
  • 快速了解会话管理三剑客cookie、session和JWT
    2019-05-21 14:31
    全菜工程师小辉的博客 cookiecookie中的信息是以键值对的形式储存在浏览器中,而且在浏览器中可以直接看到数据。下图为safari的cookie截图: session:session存储在服务器中,然后发送一个cookie存储在浏览器中,cookie中存储的是...
  • 基于PHP的客顺通php在线客服系统源码.zip
    2023-10-14 13:58
    6. **会话管理**:保持用户状态和聊天记录的关键技术,如session和cookie。 7. **错误处理与日志**:良好的错误处理机制和日志记录对于调试和维护至关重要。 8. **安全性**:了解如何防止SQL注入、XSS攻击和其他Web...
  • PHP实例开发源码—万能镜像系统程序.zip
    2022-11-23 17:36
    3. **用户认证与权限控制**:为了确保只有授权用户可以访问和操作镜像,系统可能实现了用户注册、登录功能,使用了session或cookie进行会话管理。同时,权限控制机制如ACL(Access Control List)可能被用来限制...
  • PHP011G03_php_
    2021-09-30 19:40
    13. **会话cookie管理**:理解HTTP协议的无状态性,如何使用session和cookie来跟踪用户状态。 14. **PHP与AJAX**:如何使用PHP响应异步请求,实现页面的部分刷新。 15. **PHP性能优化**:内存管理、缓存策略、...
  • Java Web会话机制:Cookie和Session
    2018-03-04 03:26
    forMelo的博客 Cookie通过在客户端记录信息确定用户身份,Session通过在服务器端记录信息确定用户身份。本章将系统地讲述Cookie与Session机制,并比较说明什么时候不能用Cookie,什么时候不能用Session。Cookie机制Cookie技术是...
  • PHP开发不能违背的安全规则 外部数据提交的处理.docx
    2022-05-11 09:12
    外部数据是指非程序员在PHP代码中直接输入的数据,如GET参数、POST表单、数据库查询结果、配置文件内容、会话变量以及cookie等。这些数据来源不可信,因为它们可能被恶意用户操纵。例如,直接从$_POST数组获取的...
  • Cookie原理
    2020-07-08 23:30
    移动安全星球的博客 Cookie机制 什么是Cookie 记录用户访问次数 Cookie的不可跨域名性 Unicode编码:保存中文 BASE64编码:保存二进制图片 设置Cookie的所有属性 Cookie的有效期 Cookie的修改、删除 Cookie的域名 Cookie的...
  • 没有解决我的问题, 去提问
手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

 客服 返回
顶部