-2

我正在为一个个人项目工作,我正在开发一个简单的登录系统,它具有简单的授权方法,例如 is_logged_in、login、register 和 logout。

我想知道如何使我的登录系统免受劫持、中间人和固定?

这是我的代码:

    class Auth extends Session
{
    public $ip_address;
    public $timestamp;
    public $user_agent;

    public function __construct()
    {
        $this->ip_address = $_SERVER['REMOTE_ADDR'];
        $this->user_agent = $_SERVER['HTTP_USER_AGENT'];
        $this->timestamp = date('Y-m-d H:i:s');
    }
    public function login($table = 'users',$username,$password,$username_column = 'username',$password_column = 'password')
    {
        if(!isset($username,$password))
        {
            return FALSE;
        } else {

            $username = mysql_real_escape_string($username);
            $password = md5(strip_tags($password));
            $query = "SELECT * FROM $table WHERE $username_column='$username' AND $password_column='$password'";
            if(mysql_num_rows($query) != 0)
            {
                $session_vars = array(
                    'session_id' => session_id(),
                    'username' => stripcslashes($username),
                    'ip_address' => $this->ip_address,
                    'user_agent' => $this->user_agent,
                    'timestamp' => $this->timestamp
                );
                $this->set_array($session_vars);
                $session_query = "INSERT INTO sessions(session_id,username,ip_address,user_agent,timestamp)";
                $session_query .= "VALUES('".implode(",'",$session_vars)."')";
                mysql_query($session_query) or die(mysql_error());
                return TRUE;

            }else{ 
                return FALSE;
            }
        }

    }
4

1 回答 1

0

劫持/固定:在每个请求上重新生成您的 SID。

中间人攻击:使用 SSL

看在上帝的份上,不要通过GETor接受会话信息POST

于 2012-08-05T22:39:06.047 回答