dszn2485 2016-02-09 07:21
浏览 54
已采纳

修改我从WikiHow的安全会话登录脚本中获得的代码

I wanted to implement the secure login script from WikiHow in my project. I have got it working in CodeIgniter. I want to modify it a bit by logging out a user when he closes the browser (unless he checked Remember Me on the login page).

This is the login function (assume every variable is set because the function won't be called unless they are). 

public function login() {
    $error_msg = array();

    // the email and password validation is here
    // if error is found its pushed into the $error_msg array

    // find the user corresponding to the given email address
    $sql = "SELECT user_id, username, password, salt FROM users WHERE email = ? LIMIT 1";
    $query = $this->db->query($sql, $email);
    if ($query) {
        if ($query->num_rows() == 1) {
            $result = $query->row();

            // user is found
            // hash the pass with the salt
            $password = hash('sha512', $password.$result->salt);

            // check for number of tries
            if ($this->check_brute($result->user_id) == TRUE) {
                // account locked for repeated failed login attempts
                $error_msg[] = "<p>Account is locked due to repeated failed login attempts.</p>";
                // return FALSE;
            } else {
                // check password
                if ($password == $result->password) {
                    $user_browser = $this->security->xss_clean($_SERVER['HTTP_USER_AGENT']); // browser
                    $user_id = preg_replace("/[^0-9]+/", "", $result->user_id);
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $result->username);

                    // i want to set the cookie expiry time depending on the
                    // remember me checkbox
                    if ($_POST['remember']) {
                    }

                    // i am guessing somekinda cookie manipulation should
                    // take place here

                    // assign session variables
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password.$user_browser);

                    return TRUE; // login success
                } else {
                    // wrong password input
                    // add activity in database
                    $sql = "INSERT INTO login_attempts (user_id, time) VALUES (?, ?)";
                    $this->db->query($sql, array($result->user_id, time()));
                    $error_msg[] = "<p>ERR PASS: Username/password combination is incorrect.</p>";
                    // return FALSE;
                }
            }
        } else {
            // user doesnt exist
            // return FALSE;
            $error_msg[] = "<p>NO USR: Username/password combination is incorrect.</p>";
        }
    }

    return $error_msg;
}

And this is the code for the session starting:

public function sec_session_start() {
    $session_name = "sec_session_id";
    $secure = FALSE; // dev mode
    $httponly = TRUE;

    if(ini_set('session.use_only_cookies', 1) === FALSE) {
        $error_msg = '<p>Could not initiate a secure session.</p>';
        return $error_msg;
    }

    $cookieParams = session_get_cookie_params();
    session_set_cookie_params(
        $cookieParams['lifetime'],
        $cookieParams['path'],
        $cookieParams['domain'],
        $secure,
        $httponly);

    session_name($session_name);
    session_start();
    session_regenerate_id(TRUE);
    return TRUE;
}

The only place where there is a reference to cookies is in the logout function where it is unset. What should I do to set the cookie expiry time when a user logs in depending on their choice on "Remember me"?

  • 写回答

1条回答 默认 最新

  • dongwubao4785 2016-02-09 14:45
    关注

    I had the same problem using this script and this is the solution that I came up with.

    In your login function, add this code:

    (I am assuming $_POST['remember'] will be = 1 if user wants to be remembered, 0 otherwise)

    if ($_POST['remember']) {
     $_SESSION['remember'] = $_POST['remember'];
}

    Then in the function sec_session_start() add this after session_start():

    ...

session_name($session_name);
session_start();            

if($_SESSION['remember'] == 1){ session_set_cookie_params(60*60*24*60); }

session_regenerate_id(true);  

...

    The lifetime can obviously be changed to suit you. I chose 2 months for this example.

    What this code is effectively doing is setting another session which contains the information as to whether or not the user wants to remembered.

    The cookie is then initially set with the default value that your server has set for session lifetimes, but if the remember session has a value of 1, it changes this to the lifetime you have set.

    I've not extensively tested this so let me know if any issues arise.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 metadata提取的PDF元数据,如何转换为一个Excel
  • ¥15 关于arduino编程toCharArray()函数的使用
  • ¥100 vc++混合CEF采用CLR方式编译报错
  • ¥15 coze 的插件输入飞书多维表格 app_token 后一直显示错误,如何解决?
  • ¥15 vite+vue3+plyr播放本地public文件夹下视频无法加载
  • ¥15 c#逐行读取txt文本,但是每一行里面数据之间空格数量不同
  • ¥50 如何openEuler 22.03上安装配置drbd
  • ¥20 ING91680C BLE5.3 芯片怎么实现串口收发数据
  • ¥15 无线连接树莓派,无法执行update,如何解决?(相关搜索:软件下载)
  • ¥15 Windows11, backspace, enter, space键失灵