dszn2485 2016-02-09 07:21
浏览 54
已采纳

修改我从WikiHow的安全会话登录脚本中获得的代码

I wanted to implement the secure login script from WikiHow in my project. I have got it working in CodeIgniter. I want to modify it a bit by logging out a user when he closes the browser (unless he checked Remember Me on the login page).

This is the login function (assume every variable is set because the function won't be called unless they are).

public function login() {
    $error_msg = array();

    // the email and password validation is here
    // if error is found its pushed into the $error_msg array

    // find the user corresponding to the given email address
    $sql = "SELECT user_id, username, password, salt FROM users WHERE email = ? LIMIT 1";
    $query = $this->db->query($sql, $email);
    if ($query) {
        if ($query->num_rows() == 1) {
            $result = $query->row();

            // user is found
            // hash the pass with the salt
            $password = hash('sha512', $password.$result->salt);

            // check for number of tries
            if ($this->check_brute($result->user_id) == TRUE) {
                // account locked for repeated failed login attempts
                $error_msg[] = "<p>Account is locked due to repeated failed login attempts.</p>";
                // return FALSE;
            } else {
                // check password
                if ($password == $result->password) {
                    $user_browser = $this->security->xss_clean($_SERVER['HTTP_USER_AGENT']); // browser
                    $user_id = preg_replace("/[^0-9]+/", "", $result->user_id);
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $result->username);

                    // i want to set the cookie expiry time depending on the
                    // remember me checkbox
                    if ($_POST['remember']) {
                    }

                    // i am guessing somekinda cookie manipulation should
                    // take place here

                    // assign session variables
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password.$user_browser);

                    return TRUE; // login success
                } else {
                    // wrong password input
                    // add activity in database
                    $sql = "INSERT INTO login_attempts (user_id, time) VALUES (?, ?)";
                    $this->db->query($sql, array($result->user_id, time()));
                    $error_msg[] = "<p>ERR PASS: Username/password combination is incorrect.</p>";
                    // return FALSE;
                }
            }
        } else {
            // user doesnt exist
            // return FALSE;
            $error_msg[] = "<p>NO USR: Username/password combination is incorrect.</p>";
        }
    }

    return $error_msg;
}

And this is the code for the session starting:

public function sec_session_start() {
    $session_name = "sec_session_id";
    $secure = FALSE; // dev mode
    $httponly = TRUE;

    if(ini_set('session.use_only_cookies', 1) === FALSE) {
        $error_msg = '<p>Could not initiate a secure session.</p>';
        return $error_msg;
    }

    $cookieParams = session_get_cookie_params();
    session_set_cookie_params(
        $cookieParams['lifetime'],
        $cookieParams['path'],
        $cookieParams['domain'],
        $secure,
        $httponly);

    session_name($session_name);
    session_start();
    session_regenerate_id(TRUE);
    return TRUE;
}

The only place where there is a reference to cookies is in the logout function where it is unset. What should I do to set the cookie expiry time when a user logs in depending on their choice on "Remember me"?

  • 写回答

1条回答 默认 最新

  • dongwubao4785 2016-02-09 14:45
    关注

    I had the same problem using this script and this is the solution that I came up with.

    In your login function, add this code:

    (I am assuming $_POST['remember'] will be = 1 if user wants to be remembered, 0 otherwise)

    if ($_POST['remember']) {
         $_SESSION['remember'] = $_POST['remember'];
    }
    

    Then in the function sec_session_start() add this after session_start():

    ...
    
    session_name($session_name);
    session_start();            
    
    if($_SESSION['remember'] == 1){ session_set_cookie_params(60*60*24*60); }
    
    session_regenerate_id(true);  
    
    ...
    

    The lifetime can obviously be changed to suit you. I chose 2 months for this example.

    What this code is effectively doing is setting another session which contains the information as to whether or not the user wants to remembered.

    The cookie is then initially set with the default value that your server has set for session lifetimes, but if the remember session has a value of 1, it changes this to the lifetime you have set.

    I've not extensively tested this so let me know if any issues arise.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 帮我解决一下膳食平衡的线性规划模型的数据实例
  • ¥40 万年历缺少农历,需要和阳历同时显示
  • ¥250 雷电模拟器内存穿透、寻基址和特征码的教学
  • ¥200 比特币ord程序wallet_constructor.rs文件支持一次性铸造1000个代币,并将它们分配到40个UTXO上(每个UTXO上分配25个代币),并设置找零地址
  • ¥15 关于Java的学习问题
  • ¥15 如何使用chatgpt完成文本分类任务?
  • ¥15 已知速度v关于位置s的等式,怎么转化为已知位置求速度v的等式
  • ¥15 我有个餐饮系统,用wampserver把环境配置好了,但是后端的网页却进去,是为什么,能不能帮远程一下?
  • ¥15 R运行没有名称为"species"的插槽对于此对象类"SDMmodelCV"
  • ¥20 基于决策树的数字信号处理,2ask 2psk 2fsk的代码,检查下报错的原因