dszn2485 2016-02-09 07:21
浏览 54
已采纳

修改我从WikiHow的安全会话登录脚本中获得的代码

I wanted to implement the secure login script from WikiHow in my project. I have got it working in CodeIgniter. I want to modify it a bit by logging out a user when he closes the browser (unless he checked Remember Me on the login page).

This is the login function (assume every variable is set because the function won't be called unless they are). 

public function login() {
    $error_msg = array();

    // the email and password validation is here
    // if error is found its pushed into the $error_msg array

    // find the user corresponding to the given email address
    $sql = "SELECT user_id, username, password, salt FROM users WHERE email = ? LIMIT 1";
    $query = $this->db->query($sql, $email);
    if ($query) {
        if ($query->num_rows() == 1) {
            $result = $query->row();

            // user is found
            // hash the pass with the salt
            $password = hash('sha512', $password.$result->salt);

            // check for number of tries
            if ($this->check_brute($result->user_id) == TRUE) {
                // account locked for repeated failed login attempts
                $error_msg[] = "<p>Account is locked due to repeated failed login attempts.</p>";
                // return FALSE;
            } else {
                // check password
                if ($password == $result->password) {
                    $user_browser = $this->security->xss_clean($_SERVER['HTTP_USER_AGENT']); // browser
                    $user_id = preg_replace("/[^0-9]+/", "", $result->user_id);
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $result->username);

                    // i want to set the cookie expiry time depending on the
                    // remember me checkbox
                    if ($_POST['remember']) {
                    }

                    // i am guessing somekinda cookie manipulation should
                    // take place here

                    // assign session variables
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password.$user_browser);

                    return TRUE; // login success
                } else {
                    // wrong password input
                    // add activity in database
                    $sql = "INSERT INTO login_attempts (user_id, time) VALUES (?, ?)";
                    $this->db->query($sql, array($result->user_id, time()));
                    $error_msg[] = "<p>ERR PASS: Username/password combination is incorrect.</p>";
                    // return FALSE;
                }
            }
        } else {
            // user doesnt exist
            // return FALSE;
            $error_msg[] = "<p>NO USR: Username/password combination is incorrect.</p>";
        }
    }

    return $error_msg;
}

And this is the code for the session starting:

public function sec_session_start() {
    $session_name = "sec_session_id";
    $secure = FALSE; // dev mode
    $httponly = TRUE;

    if(ini_set('session.use_only_cookies', 1) === FALSE) {
        $error_msg = '<p>Could not initiate a secure session.</p>';
        return $error_msg;
    }

    $cookieParams = session_get_cookie_params();
    session_set_cookie_params(
        $cookieParams['lifetime'],
        $cookieParams['path'],
        $cookieParams['domain'],
        $secure,
        $httponly);

    session_name($session_name);
    session_start();
    session_regenerate_id(TRUE);
    return TRUE;
}

The only place where there is a reference to cookies is in the logout function where it is unset. What should I do to set the cookie expiry time when a user logs in depending on their choice on "Remember me"?

  • 写回答

1条回答 默认 最新

  • dongwubao4785 2016-02-09 14:45
    关注

    I had the same problem using this script and this is the solution that I came up with.

    In your login function, add this code:

    (I am assuming $_POST['remember'] will be = 1 if user wants to be remembered, 0 otherwise)

    if ($_POST['remember']) {
     $_SESSION['remember'] = $_POST['remember'];
}

    Then in the function sec_session_start() add this after session_start():

    ...

session_name($session_name);
session_start();            

if($_SESSION['remember'] == 1){ session_set_cookie_params(60*60*24*60); }

session_regenerate_id(true);  

...

    The lifetime can obviously be changed to suit you. I chose 2 months for this example.

    What this code is effectively doing is setting another session which contains the information as to whether or not the user wants to remembered.

    The cookie is then initially set with the default value that your server has set for session lifetimes, but if the remember session has a value of 1, it changes this to the lifetime you have set.

    I've not extensively tested this so let me know if any issues arise.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮
  • ¥15 ads仿真结果在圆图上是怎么读数的
  • ¥20 Cotex M3的调试和程序执行方式是什么样的?
  • ¥20 java项目连接sqlserver时报ssl相关错误
  • ¥15 一道python难题3
  • ¥15 牛顿斯科特系数表表示
  • ¥15 arduino 步进电机
  • ¥20 程序进入HardFault_Handler