0

我几乎完成了登录系统的代码。我让用户尝试登录 3 次,每次都收到一条消息,说他们还有一定数量的尝试。我还编写了代码,如果他们已经登录 5 分钟,他们将自动注销。我正在努力研究如何根据会话变量将用户锁定 10 分钟。谁能告诉我在哪里设置会话变量 ['LoginID'] 以及它需要处于什么条件,因为目前,我收到一个错误,它是一个未定义的变量。如果有人可以帮助我使用我当前的代码而不是完全提供不同的方法,那太好了,因为那时,我实际上可以理解它。这是我的代码:

//careMarkBase starts a session, connects to the DB and has the following code for logging out a user after 5 minutes(which works)
$duration = (5 * 60);
if(isset($_SESSION['started'])){

    $time = ($duration - (time() - $_SESSION['started']));

    if($time <= 0){

        session_unset();
        session_destroy();          
    }
}
else{

  $_SESSION['started'] = time();
}

这是登录php

<?php include "CareMarkBase.php"; ?>  
    <?php
    if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
        {
            echo "<p>Thanks for logging in <b>".$_SESSION['FName']." ".$_SESSION['SName']."</b>.</p>";
            echo "<a href='CareMarkLogout.php'><input name='logoutBtn' type='submit' value='Logout'/></a>";
            #set failed_login_attempts = 0
            $set_failed_login_attempts=mysql_query("UPDATE login SET failed_login_attempts=0 WHERE LoginID=".$_SESSION['LoginID']);

        }
        elseif(!empty($_POST['username']) && !empty($_POST['password']))
        {
            $userID = mysql_real_escape_string($_POST['username']);
            $password = md5(mysql_real_escape_string($_POST['password']));

            $checkloginEmp = mysql_query("SELECT * FROM UserDetails WHERE UserID = '".$userID."' AND Password = '".$password."'") or die(mysql_error());

            if(mysql_num_rows($checkloginEmp) == 1)
            {
                $row = mysql_fetch_array($checkloginEmp);
                $_SESSION['Username'] = $userID;
                $_SESSION['FName'] = $row['FName'];
                $_SESSION['SName'] = $row['SName'];
                $_SESSION['LoggedIn'] = 1;


                echo "<meta http-equiv='refresh' content='1;CareMarkLogin2.php'/>";
            }
            else
            {
                if (isset($_SESSION['LoggedAttempts'])){
                    $_SESSION['LoggedAttempts']++;
                }
                else{
                    $_SESSION['LoggedAttempts'] = 0;
                }

                $login = mysql_query("SELECT failed_login_attempts, last_failed_login FROM login WHERE LoginID ='".$_SESSION['LoginID']."'")or die(mysql_error()); 

                if(mysql_num_rows($login) == 0){

                    #create failed_login_attempts = failed_login_attempts + 1 AND last_failed_login = NOW()
                    $failed_login_attempts=mysql_query("INSERT INTO login VALUES ('','".$_SESSION['LoggedAttempts']."',NOW())");
                }

                else{
                    $row = mysql_fetch_array($login);
                    $_SESSION['LoginID'] = $row['LoginID'];
                    $update_failed_login_attempts=mysql_query("UPDATE login SET failed_login_attempts='".$_SESSION['LoggedAttempts']."', 
                    last_failed_login = NOW() WHERE LoginID ='".$_SESSION['LoginID']."'") or die(mysql_error());
                }
            }


                $login_attempts_remaining=2 - $_SESSION['LoggedAttempts'];

                if ($login_attempts_remaining<=0){
                    echo 'Locked out!';
                    //going to add code here after to check if they were locked out for more than 10 minutes then to set failed login attempts back to zero
                }
                else{

                echo "Login Details Incorrect<p></p><p></p>";
                echo "<p>Please try again or contact head office on 091 771705</p>
                      <p>You have ". $login_attempts_remaining ." login attempts remaining. </p>
                      <p> <form action='CareMarkLogin2.php' method='POST'>
                            <input type='submit' name='login' id='login' value='Try again'/>
                          </form>
                      </p>";
                }
        }
        //}

    else{

        ?>  
        <div id="mainText" style="width:400px;text-align:center;float:left" class="post">
            <form method="post" action="CareMarkLogin2.php" name="loginform" id="loginform">
                <fieldset>
                    <label for="username">Username:</label>
                        <input type="text" name="username" id="username"/><br/><br/>
                    <label for="password">Password:</label>
                        <input type="password" name="password" id="password"/><br/><br/>
                    <input type="submit" name="login" id="login" value="Login"/>
                </fieldset>
            </form>
        </div>
        <?php
        }
        ?>
4

1 回答 1

2

验证帐户信息后,检查它们是否应该被锁定。

        if(mysql_num_rows($checkloginEmp) == 1)
        {
            // Check if they're locked out
            $checkLockout = mysql_query("SELECT * FROM login
                                         WHERE LoginID = $userID
                                         AND failed_login_attempts >= 3
                                         AND last_failed_login > DATE_SUB(NOW(), INTERVAL 10 MINUTE)" or die (mysql_error());
            if (mysql_num_rows($checkLockout) > 0) {
                echo "Locked out!";
            } else {
                $row = mysql_fetch_array($checkloginEmp);
                $_SESSION['Username'] = $userID;
                $_SESSION['FName'] = $row['FName'];
                $_SESSION['SName'] = $row['SName'];
                $_SESSION['LoggedIn'] = 1;
            }

            echo "<meta http-equiv='refresh' content='1;CareMarkLogin2.php'/>";
        }

或者,您可以在验证密码之前进行检查。

于 2013-05-12T17:14:13.273 回答