dszn2485 2016-02-09 07:21
浏览 54
已采纳

修改我从WikiHow的安全会话登录脚本中获得的代码

I wanted to implement the secure login script from WikiHow in my project. I have got it working in CodeIgniter. I want to modify it a bit by logging out a user when he closes the browser (unless he checked Remember Me on the login page).

This is the login function (assume every variable is set because the function won't be called unless they are). 

public function login() {
    $error_msg = array();

    // the email and password validation is here
    // if error is found its pushed into the $error_msg array

    // find the user corresponding to the given email address
    $sql = "SELECT user_id, username, password, salt FROM users WHERE email = ? LIMIT 1";
    $query = $this->db->query($sql, $email);
    if ($query) {
        if ($query->num_rows() == 1) {
            $result = $query->row();

            // user is found
            // hash the pass with the salt
            $password = hash('sha512', $password.$result->salt);

            // check for number of tries
            if ($this->check_brute($result->user_id) == TRUE) {
                // account locked for repeated failed login attempts
                $error_msg[] = "<p>Account is locked due to repeated failed login attempts.</p>";
                // return FALSE;
            } else {
                // check password
                if ($password == $result->password) {
                    $user_browser = $this->security->xss_clean($_SERVER['HTTP_USER_AGENT']); // browser
                    $user_id = preg_replace("/[^0-9]+/", "", $result->user_id);
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $result->username);

                    // i want to set the cookie expiry time depending on the
                    // remember me checkbox
                    if ($_POST['remember']) {
                    }

                    // i am guessing somekinda cookie manipulation should
                    // take place here

                    // assign session variables
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password.$user_browser);

                    return TRUE; // login success
                } else {
                    // wrong password input
                    // add activity in database
                    $sql = "INSERT INTO login_attempts (user_id, time) VALUES (?, ?)";
                    $this->db->query($sql, array($result->user_id, time()));
                    $error_msg[] = "<p>ERR PASS: Username/password combination is incorrect.</p>";
                    // return FALSE;
                }
            }
        } else {
            // user doesnt exist
            // return FALSE;
            $error_msg[] = "<p>NO USR: Username/password combination is incorrect.</p>";
        }
    }

    return $error_msg;
}

And this is the code for the session starting:

public function sec_session_start() {
    $session_name = "sec_session_id";
    $secure = FALSE; // dev mode
    $httponly = TRUE;

    if(ini_set('session.use_only_cookies', 1) === FALSE) {
        $error_msg = '<p>Could not initiate a secure session.</p>';
        return $error_msg;
    }

    $cookieParams = session_get_cookie_params();
    session_set_cookie_params(
        $cookieParams['lifetime'],
        $cookieParams['path'],
        $cookieParams['domain'],
        $secure,
        $httponly);

    session_name($session_name);
    session_start();
    session_regenerate_id(TRUE);
    return TRUE;
}

The only place where there is a reference to cookies is in the logout function where it is unset. What should I do to set the cookie expiry time when a user logs in depending on their choice on "Remember me"?

  • 写回答

1条回答 默认 最新

  • dongwubao4785 2016-02-09 14:45
    关注

    I had the same problem using this script and this is the solution that I came up with.

    In your login function, add this code:

    (I am assuming $_POST['remember'] will be = 1 if user wants to be remembered, 0 otherwise)

    if ($_POST['remember']) {
     $_SESSION['remember'] = $_POST['remember'];
}

    Then in the function sec_session_start() add this after session_start():

    ...

session_name($session_name);
session_start();            

if($_SESSION['remember'] == 1){ session_set_cookie_params(60*60*24*60); }

session_regenerate_id(true);  

...

    The lifetime can obviously be changed to suit you. I chose 2 months for this example.

    What this code is effectively doing is setting another session which contains the information as to whether or not the user wants to remembered.

    The cookie is then initially set with the default value that your server has set for session lifetimes, but if the remember session has a value of 1, it changes this to the lifetime you have set.

    I've not extensively tested this so let me know if any issues arise.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

    报告相同问题?

    悬赏问题

    • ¥30 android百度地图SDK海量点显示标题
    • ¥15 windows导入environment.yml运行conda env create -f environment_win.yml命令报错
    • ¥15 这段代码可以正常运行,打包后无法执行,在执行for内容之前一直不断弹窗,请修改调整
    • ¥15 C语言判断有向图是否存在环路
    • ¥15 请问4.11到4.18以及4.27和4.29公式的具体推导过程是怎样的呢
    • ¥20 将resnet50中的卷积替换微ODConv动态卷积
    • ¥15 通过文本框输入商品信息点击按钮将商品信息列举出来点击加入购物车商品信息添加到表单中
    • ¥100 这是什么压缩算法?如何解压?
    • ¥20 upload上传实验报错500,如何解决?(操作系统-windows)
    • ¥15 谁知道 ShaderGraph 那个节点可以接入 Particle System -> Custom Data