0

我有这个功能可以检查用户是否正确登录(一切正常)。成功响应发送这个

// Success array, send back requested information for settings
$response = array(
    'status' => '1',
    'response' => array(
        'uid' => $data->id,
        'email' => $data->email,
        'username' => $data->username,
        'key' => $this->hash($data->id . $data->username . $data->email)
    )
);

$response['response']包含将要设置的所有会话变量。正在设置的示例key如下所示

// Returns this : 5da099bda1be066384e8574f7de198dcef014ce28e99694239d2237b7ec854aa
print $this->registry->user->hash('1','test','test@test.com');

现在在会话变量中设置该键并运行这样的检查是否安全(我目前正在这样做):

public function authenticate_session() {
        if (isset($_SESSION) && !empty($_SESSION)) {
            if ($_SESSION['key'] !== $this->hash($_SESSION['uid'] . $_SESSION['username'] . $_SESSION['email'])) {
                return false;
            } else {
                return true;
            }
        } else {
            return false;
        }
    }

或者我应该将密钥存储在数据库中并对所述数据库运行交叉检查以检查会话是否有效?

然后我会在文件顶部进行检查:

<?php 
    if(!$this->registry->user->authenticate_session()) {
        $this->registry->user->end_session();
        die(header("Location: /user/login));
    }
?>
4

0 回答 0