检查针对cookie的会话信息会造成混淆

I have been trying to use some code but to use it a bit more to my purposes. The original code went as follows for the isset but it is SO confusing.

// Check if we're already logged in, and check session information against cookies
// credentials to protect against session hijacking
if (isset ($_COOKIE['project-name']['userID']) &&
   crypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'],
         $_COOKIE['project-name']['secondDigest']) ==
   $_COOKIE['project-name']['secondDigest'] &&
   (!isset ($_COOKIE['project-name']['username']) ||
    (isset ($_COOKIE['project-name']['username']) &&
     Users::checkCredentials($_COOKIE['project-name']['username'],
                             $_COOKIE['project-name']['digest']))))

My current code:

function encrypt($input)
{
    $hash = password_hash($input, PASSWORD_DEFAULT);
    return $hash;
}

function checkUserCreds($username, $password)
{
    //do code at some point
    return $username;
    return $password;
}

function checkLoggedIn($page)
{
    session_start();

    //Check if already logged in and check session information against cookies
    if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['login']) || (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash']))))
     {
      //Some code here.. eventually
     }  
 }

Whilst I have fixed the syntax error, I am genuinely confused by the thing I am trying to copy off.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

dounianji7883 2013-09-20 21:39

关注

function encrypt($input)
{
$hash = password_hash($input, PASSWORD_DEFAULT);
return $hash;

}

password_hash() creates a new password hash using a strong one-way hashing algorithm.
calling encrypt($input) will return hashed password

function checkUserCreds($username, $password)
{
//do code at some point
return $username;
return $password;
}

calling checkUserCreds($username, $password) will just return what you submitted
unless you have some code at
//do code at some point

function checkLoggedIn($page) { session_start();

//Check if already logged in and check session information against cookies
if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['login']) || (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'])))
 {
  //Some code here.. eventually
 }

}

i tried to breakdown the checkLoggedIn function

(1) if (isset($_COOKIE['sukd']['id']) 
(2) && encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] 
(3) && (!isset ($_COOKIE['sukd']['login']) 
|| (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'])))
 {
  //Some code here.. eventually
 } 


 $_SERVER['REMOTE_ADDR'] = visitors IP 
 $_SERVER['HTTP_USER_AGENT'] = visitors browser
 $_COOKIE['sukd']['hashv2'] = your defined cookie( i GUESS to your password )
 $_COOKIE['sukd']['login'] = user defined cookie( i GUESS to check if login )

 (1). you check if $_COOKIE['sukd']['id'] isset and 

 (2). create a password hash by calling encrypt function and compare it to the cookie $_COOKIE['sukd']['hashv2']
 encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2']  
 encrypt is a user defined function where you pass the combination of $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2'] to retrieve password hash

 (3). you check if $_COOKIE['sukd']['login'] exist or
 cookie is set and calls the function that returns 
 $_COOKIE['sukd']['login'](username), $_COOKIE['sukd']['hash'](password)
if any of the 3 fails, it will not proceed

EDIT
also, you are comparing

$_COOKIE['sukd']['hashv2']

(if) equal to

encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2'])

that has

$_COOKIE['sukd']['hashv2']

which i believe will return false

also, be careful in number 3
it will return true if

$_COOKIE['sukd']['login'] is not set

$_COOKIE['sukd']['login'] is set and $_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'] 
will  just return the param(not empty)

also, make sure you set the cookies before calling checkLoggedIn()
hope this helps

本回答被题主选为最佳回答 , 对您是否有帮助呢?

报告相同问题？

关注问题

检查针对cookie的会话信息会造成混淆 php
2013-09-20 20:49

回答 1 已采纳 function encrypt($input) { $hash = password_hash($input, PASSWORD_DEFAULT); return $hash; } pas
在php中设置cookie并通过ajax运行会话 ajax php
2018-05-20 10:50

回答 1 已采纳 Did you using session_start(); before you set value of session. for example: <?php sessi
PHP会话cookie设置错误的路径或随机路径 http php
2017-02-22 07:30

回答 1 已采纳 Use session_set_cookie_params http://php.net/manual/en/function.session-set-cookie-params.php to c
【PHP基础-8】Cookie机制详解及Cookie身份认证应用案例
2022-04-06 11:03

像风一样9的博客目录1 Cookie 概述1.1 Cookie 机制1.2 什么是Cookie1.3 Cookie 认证机制1.4 Cookie 属性1.5 Cookie的安全性问题2 Cookie 应用2.1 Cookie 相关操作命令2.2 应用案例实验2.2.1 实验要求2.2.2 实验环境2.2.3 案例代码...
php 怎么利用editthiscookie得到的cookie跳过淘宝登陆并且抓取个人信息 php 爬虫
2018-05-14 10:38

回答 2 已采纳也就能获取你自己的信息，别人的cookie就不用想了。。。获取cookie直接f12看浏览器发送的请求中附带的cookie全部拷贝出来附加到发送请求测curl上就行了
PHP读取cookie php
2022-07-17 17:45

回答 1 已采纳 username 改成zl
使用会话php创建cookie？ php
2016-02-26 06:46

回答 2 已采纳 By default, when we are setting up a session data, a session cookie will be saved on client's brow
快速了解会话管理三剑客cookie、session和JWT
2019-05-21 22:31

全菜工程师小辉的博客 cookie：cookie中的信息是以键值对的形式储存在浏览器中，而且在浏览器中可以直接看到数据。下图为safari的cookie截图： session：session存储在服务器中，然后发送一个cookie存储在浏览器中，cookie中存储的是...
无法在PHP中销毁会话和cookie php
2014-04-11 04:22

回答 1 已采纳 It seems like your cookies are being set on different paths. The 4th parameter is the domain path
Php CURL用于cookie和会话 php
2014-04-24 07:55

回答 2 已采纳 define('POSTURL', 'http://hostfast.info/includes/process.php?action=update'); define('POSTVARS',
如何正确设置会话存储的用户名和cookie？ html php
2017-06-27 13:27

回答 1 已采纳 You have an if else statement: if(!empty($rememberme)){ setcookie('username', $user
Java Web会话机制：Cookie和Session
2018-03-04 11:26

forMelo的博客 Cookie通过在客户端记录信息确定用户身份，Session通过在服务器端记录信息确定用户身份。本章将系统地讲述Cookie与Session机制，并比较说明什么时候不能用Cookie，什么时候不能用Session。Cookie机制Cookie技术是...
PHP更改会话cookie文件的内容 php
2013-03-07 17:38

回答 1 已采纳 You should use a DB like MySQL to store your sessions, then abstract all session calls into that
Cookie原理
2020-07-09 07:30

移动安全星球的博客 Cookie机制什么是Cookie 记录用户访问次数 Cookie的不可跨域名性 Unicode编码：保存中文 BASE64编码：保存二进制图片设置Cookie的所有属性 Cookie的有效期 Cookie的修改、删除 Cookie的域名 Cookie的...
COOKIE&SESSION会话机制
2018-07-20 21:36

小R同学的博客 Cookie通过在客户端记录信息确定用户身份，Session通过在服务器端记录信息确定用户身份。本 Cookie机制 Cookie技术是客户端的解决方案，Cookie就是由服务器发给客户端的特殊信息，而这些信息以文本文件的方式...
没有解决我的问题, 去提问

悬赏问题

¥15 写一个方法checkPerson，入参实体类Person，出参布尔值
¥15 我想咨询一下路面纹理三维点云数据处理的一些问题，上传的坐标文件里是怎么对无序点进行编号的，以及xy坐标在处理的时候是进行整体模型分片处理的吗
¥15 CSAPPattacklab
¥15 一直显示正在等待HID—ISP
¥15 Python turtle 画图
¥15 关于大棚监测的pcb板设计
¥15 stm32开发clion时遇到的编译问题
¥15 lna设计源简并电感型共源放大器
¥15 如何用Labview在myRIO上做LCD显示？(语言-开发语言)
¥15 Vue3地图和异步函数使用

码龄粉丝数原力等级 --

检查针对cookie的会话信息会造成混淆

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

检查针对cookie的会话信息会造成混淆

1条回答 默认 最新

悬赏问题

1条回答默认最新