1

几乎让我的登录脚本正常工作,但会话变量出现了一个奇怪的问题。我创建了运行登录代码的会话变量

./includes/functions.php

由于某种原因,它们在同一页面上不存在,因为我的 check_login 函数也在 functions.php 页面上。但是当我进行检查时它失败了:

function login_check($mysqli) {
    //Check if session variables are met
    if (isset($_SESSION['user_id'], $_SESSION['email'], $_SESSION['login_string'])) {

我有另一个名为 process_login.php 的页面,位于

./php/process_login.php

会话变量在这里工作,因为我从以下代码中获得了正确的信息

<?php
include "../includes/db_connect.php";
include "../includes/functions.php";
include "../includes/required.php";

if(isset($_POST['email'], $_POST['p'])) {
    $email = $_POST['email'];
    $password = hash('sha512', $_POST['p']); //Encrypted password

    if (login($email, $password, $mysqli) == true) {
        //Login success
        echo "Logged in!";
        //header("Location: ".ROOT."index.php");;
    } else {
        //Not user found
        echo "Not user found with those details";
    }
}
?>
<h1>You are logged in as <?=$_SESSION['email']?>!</h1>
<h2>Your user ID is: <?=$_SESSION['user_id']?>.</h2>
<h2>You have <?=$_SESSION['perms']?> rights.</h2>

这是我创建会话变量的登录脚本

function login($email, $password, $mysqli) {
    //Use prepared statements to stop SQL Injection
    if ($stmt = $mysqli->prepare("SELECT id, email, password, salt, perms FROM users WHERE email = ? LIMIT 1")) {
        $stmt->bind_param('s', $email); //Bind "$email" to paramater
        $stmt->execute(); //Execute the query
        $stmt->store_result();
        $stmt->bind_result($user_id, $email, $db_password, $salt, $perms); //get variables from result
        $stmt->fetch();
        $password = hash('sha512', $password.$salt); //hash the password with the unique salt

        if ($stmt->num_rows == 1) { //If user exists
            //Check that user account isn't locked
            if (checkbrute($user_id, $mysqli) == true) {
                //Account is locked, alert user
                return false;
            } else {
                if ($db_password == $password) { //Check that passwords match
                    //matches, create session
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['email'] = $email;
                    $user_browser = $_SERVER['HTTP_USER_AGENT']; //Create hash with password and user agent
                    $_SESSION['login_string'] = hash('sha512',$password.$user_browser);
                    $_SESSION['perms'] = $perms;
                    return true;
                }
            }
        } else {
            return false;
        }
    } else { 
        //Error
        echo "Prepare failed: (".$mysqli->errno.") ".$mysqli->error;
    }
}

这可能是我的会话脚本的问题,如下所示。甚至需要这个脚本还是我可以简单地使用

session_start();

我正在使用脚本使其更加安全。

function sec_session_start() {
    $session_name = 'ppa_session_id'; //Custom session name
    $secure = false; //Set to true if using https
    $httponly = true; //Stops JavaScript being able to access session id

    ini_set('session.use_only_cookies', 1); //Force current cookie params

    $cookieParams = session_get_cookie_params(); //Gets current cookie params
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
    session_name($session_name); //Sets the session name to the custom one
    session_start(); //Start the session
    session_regenerate_id(); //regenerate the session, delete the old one
}
4

1 回答 1

6

每个包含 $_SESSION[''] 的页面都需要有 session_start(); 打开php后在页面顶部

于 2013-11-13T23:57:57.933 回答