1

我对我已经发布的东西有疑问,但我想我会再次问这个问题,因为我现在有更多的代码。

我用于教程的原始代码

function checkLoggedIn($page)
{
   $loginDiv = '';
   $action = '';
   if (isset($_POST['action']))
   {
      $action = stripslashes ($_POST['action']);
   }

   session_start ();

   // Check if we're already logged in, and check session information against cookies
   // credentials to protect against session hijacking
   if (isset ($_COOKIE['project-name']['userID']) &&
       crypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'],
             $_COOKIE['project-name']['secondDigest']) ==
       $_COOKIE['project-name']['secondDigest'] &&
       (!isset ($_COOKIE['project-name']['username']) ||
        (isset ($_COOKIE['project-name']['username']) &&
         Users::checkCredentials($_COOKIE['project-name']['username'],
                                 $_COOKIE['project-name']['digest']))))
   {
      // Regenerate the ID to prevent session fixation
      session_regenerate_id ();

      // Restore the session variables, if they don't exist
      if (!isset ($_SESSION['project-name']['userID']))
      {
         $_SESSION['project-name']['userID'] = $_COOKIE['project-name']['userID'];
      }

      // Only redirect us if we're not already on a secured page and are not
      // receiving a logout request
      if (!isSecuredPage ($page) &&
          $action != 'logout')
      {
         header ('Location: ./');

         exit;
      }
   }
   else
   {
      // If we're not already the login page, redirect us to the login page
      if ($page != Page::LOGIN)
      {
         header ('Location: login.php');

         exit;
      }
   }

   // If we're not already logged in, check if we're trying to login or logout
   if ($page == Page::LOGIN && $action != '')
   {
      switch ($action)
      {
         case 'login':
         {
            $userData = Users::checkCredentials (stripslashes ($_POST['login-username']),
                                                 stripslashes ($_POST['password']));
            if ($userData[0] != 0)
            {
               $_SESSION['project-name']['userID'] = $userData[0];
               $_SESSION['project-name']['ip'] = $_SERVER['REMOTE_ADDR'];
               $_SESSION['project-name']['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
               if (isset ($_POST['remember']))
               {
                  // We set a cookie if the user wants to remain logged in after the
                  // browser is closed
                  // This will leave the user logged in for 168 hours, or one week
                  setcookie('project-name[userID]', $userData[0], time () + (3600 * 168));
                  setcookie('project-name[username]',
                  $userData[1], time () + (3600 * 168));
                  setcookie('project-name[digest]', $userData[2], time () + (3600 * 168));
                  setcookie('project-name[secondDigest]',
                  DatabaseHelpers::blowfishCrypt($_SERVER['REMOTE_ADDR'] .
                                                 $_SERVER['HTTP_USER_AGENT'], 10), time () + (3600 * 168));
               }
               else
               {
                  setcookie('project-name[userID]', $userData[0], false);
                  setcookie('project-name[username]', '', false);
                  setcookie('project-name[digest]', '', false);
                  setcookie('project-name[secondDigest]',
                  DatabaseHelpers::blowfishCrypt($_SERVER['REMOTE_ADDR'] .
                                                 $_SERVER['HTTP_USER_AGENT'], 10), time () + (3600 * 168));
               }

               header ('Location: ./');

               exit;
            }
            else
            {
               $loginDiv = '<div id="login-box" class="error">The username or password ' .
                           'you entered is incorrect.</div>';
            }
            break;
         }
         // Destroy the session if we received a logout or don't know the action received
         case 'logout':
         default:
         {

            // Destroy all session and cookie variables
            $_SESSION = array ();
            setcookie('project-name[userID]', '', time () - (3600 * 168));
            setcookie('project-name[username]', '', time () - (3600 * 168));
            setcookie('project-name[digest]', '', time () - (3600 * 168));
            setcookie('project-name[secondDigest]', '', time () - (3600 * 168));

            // Destory the session
            session_destroy ();

            $loginDiv = '<div id="login-box" class="info">Thank you. Come again!</div>';

            break;
         }
      }
   }

   return $loginDiv;
}

我的代码:

<?php

function encrypt($input)
{
$hash = password_hash($input, PASSWORD_DEFAULT);
return $hash;
}

function checkUserCreds($username, $password)
{
    $id = 0;
    $hash = '';

    $db = new PDO('$dbDNS', '$dbuser', '$dbpass');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //Set error mode
    try
    {
        $st = $db->prepare("SELECT id, login, email, pass FROM users WHERE login =:username");      
        $st->bindParam(':username', $username, PDO::PARAM_STR);
        $success = $st->execute();

        if($success)
        {
            $userData = $st->fetch();
            $hash = $userData['pass'];
            if (password_verify($password, $hash) == $hash)
            {
                $id = $userData['id'];
            }           
        }

    }
    catch (PDOException $e)
    {
        $id = 0;
        $hash = '';
    }
    $db = null;

    return array ($id, $username, $hash);
}

function checkLoggedIn($page)
{
    $loginMess='';
    $action='';
    if (isset($_POST['action']))
    {
        $action = stripslashes($_POST['action']);
    }
    session_start();

    //Check if already logged in and check session information against cookies
    if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['username']) || (isset ($_COOKIE['sukd']['username']) && checkUserCreds($_COOKIE['sukd']['username'], $_COOKIE['sukd']['hash']))))
    {
        echo "isset cookies: ON, GOOD <br>";
        // Regenerate the ID to prevent session fixation
        //session_regenerate_id ();
    }   
    else
    {
        // If we are not on the login page, redirect.
        if ($page != 'login')
        {
            header ('Location login.php');
            exit;
        }
    }
    if ($page = 'login' && $action != '')
    {
        switch($action)
        {
            case 'login':
            {
                $userData = checkUserCreds(stripslashes($_POST['username']), stripslashes($_POST['password']));

                if ($userData[0] != 0)
                {
                    $_SESSION['sukd']['id']=$userData[0];
                    $_SESSION['sukd']['ip']=$_SERVER['REMOTE_ADDR'];
                    $_SESSION['sukd']['userAgent']=$_SERVER['HTTP_USER_AGENT'];
                    if(isset($_POST['remember']))
                    {
                        //remember for 7 days
                        setcookie('sukd[id]', $userData[0], time () + (3600 * 168));
                        setcookie('sukd[username]', $userData[1], time() + (3600 * 168));
                        setcookie('sukd[hash]', $userData[2], time() + (3600 * 168));
                        setcookie('sukd[hashv2]', encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']), time () + (3600 * 168));
                    }
                    else
                    {
                        setcookie('sukd[id]', $userData[0], false);
                        setcookie('sukd[username]', '', false);
                        setcookie('sukd[hash]', '', false);
                        setcookie('sukd[hashv2]', encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']), time () + (3600 * 168));
                    }

                    header ('Location: ./');

                    exit;
                }
                else
                {
                    $loginMess = "The username or password you entered is incorrect <br>";
                }
                break;              
            }
            case 'logout':
            default:
            {
                $_SESSION = array();
                setcookie('sukd[id]', '', time () + (3600 * 168));
                setcookie('sukd[username]', '', time() + (3600 * 168));
                setcookie('sukd[hash]', '', time() + (3600 * 168));
                setcookie('sukd[hashv2]', '', time () + (3600 * 168));

                session_destroy();

                $loginMess = "echo 'Successfully logged out <br>'";

                break;          
            }       
        }
    }
    return $loginMess;
}
?>

例如,它被调用checkLogged(login)并在出现问题时输出登录消息。此外,它使用带有操作的隐藏字段来设置案例切换的值、登录或注销。目前,它可以正常登录,添加 cookie 等。

但是,问题是,当用户已经登录时,它应该检查代码。

if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR'] etc..

我无法真正理解原始代码,所以我什至不知道从哪里开始。cookie 数组有点奇怪,它似乎基于两个不同的版本,具体取决于您是 setcookie 还是调用 cookie。

如果有人在不使用顶级方法的情况下有更安全的方法,我很高兴有人能进一步启发我。

我的代码的原件。

digest = hash
decondDigest = hashv2
4

2 回答 2

2

我不会session_start();在函数内调用。如果您在其他任何地方使用 cookie,无论如何您都需要它。将它放在第一个文件的开头,然后放在其他任何地方。

也许使用这个: 

if (!isset($_SESSION))
  {
    session_start();
  }

如果有人在不使用顶级方法的情况下有更安全的方法,我很高兴有人能进一步启发我。

为什么不切换到 $_SESSIONs?

使用 cookie 来确保它的安全是非常繁琐的,因此用户不能自己设置某些数据,就像你现在正在努力的那样。相反,我无法在您的服务器上设置 $_SESSION。

然后,在一个非常基本的例子中:

//your login script
//if logged in successful:
$_SESSION['loggedin']['username']=$username; //from DB
$_SESSION['loggedin']['whatever']=$whatever;

//Then your login check just checks the session
if (!isset($_SESSION['loggedin']))
  {
    //redirect to login page or don't server them user stuff
  }

然后,您无需担心不希望他们看到的散列数据等。根据您的安全要求,您可以在会话中检查和设置各种内容。

重要的是,您目前如何拥有它,当您检查 cookie 中的一些细节时,人们可以设置自己的 cookie,这意味着您的代码可能只是检查用户设置的 cookie 并认为他们已登录并授予他们访问权限,也许是另一个用户的帐户。

会话虽然不是 100% 安全的,但它是非常安全的,因为它存储在 Web 根目录之外的服务器上,这意味着有人摆弄它们,它们已经在服务器中,并且设置会话是他们需要做的最后一件事是造成破坏。

于 2013-09-21T11:52:36.057 回答
0

找出它不起作用的原因。当我应该使用 password_verify 时,我正在使用 password_hash 重新散列。这意味着它每次都给出不同的答案。

于 2013-09-21T13:07:59.450 回答