我想在我的项目中实现来自WikiHow的安全登录脚本。我已经让它在CodeIgniter中工作。我想通过在用户关闭浏览器时注销用户来对其进行一些修改(除非他在登录页面上选中Remember Me
)。
这是登录函数(假设每个变量都已设置,因为除非它们被调用,否则不会调用该函数)。
public function login() {
$error_msg = array();
// the email and password validation is here
// if error is found its pushed into the $error_msg array
// find the user corresponding to the given email address
$sql = "SELECT user_id, username, password, salt FROM users WHERE email = ? LIMIT 1";
$query = $this->db->query($sql, $email);
if ($query) {
if ($query->num_rows() == 1) {
$result = $query->row();
// user is found
// hash the pass with the salt
$password = hash('sha512', $password.$result->salt);
// check for number of tries
if ($this->check_brute($result->user_id) == TRUE) {
// account locked for repeated failed login attempts
$error_msg[] = "<p>Account is locked due to repeated failed login attempts.</p>";
// return FALSE;
} else {
// check password
if ($password == $result->password) {
$user_browser = $this->security->xss_clean($_SERVER['HTTP_USER_AGENT']); // browser
$user_id = preg_replace("/[^0-9]+/", "", $result->user_id);
$username = preg_replace("/[^a-zA-Z0-9_'-]+/", "", $result->username);
// i want to set the cookie expiry time depending on the
// remember me checkbox
if ($_POST['remember']) {
}
// i am guessing somekinda cookie manipulation should
// take place here
// assign session variables
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password.$user_browser);
return TRUE; // login success
} else {
// wrong password input
// add activity in database
$sql = "INSERT INTO login_attempts (user_id, time) VALUES (?, ?)";
$this->db->query($sql, array($result->user_id, time()));
$error_msg[] = "<p>ERR PASS: Username/password combination is incorrect.</p>";
// return FALSE;
}
}
} else {
// user doesnt exist
// return FALSE;
$error_msg[] = "<p>NO USR: Username/password combination is incorrect.</p>";
}
}
return $error_msg;
}
这是会话启动的代码:
public function sec_session_start() {
$session_name = "sec_session_id";
$secure = FALSE; // dev mode
$httponly = TRUE;
if(ini_set('session.use_only_cookies', 1) === FALSE) {
$error_msg = '<p>Could not initiate a secure session.</p>';
return $error_msg;
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params(
$cookieParams['lifetime'],
$cookieParams['path'],
$cookieParams['domain'],
$secure,
$httponly);
session_name($session_name);
session_start();
session_regenerate_id(TRUE);
return TRUE;
}
唯一引用 cookie 的地方是在注销功能中未设置它的地方。当用户登录时,我应该怎么做才能根据他们在"记住我"上的选择来设置 cookie 到期时间?
我在这个脚本上遇到了同样的问题,这就是我想出的解决方案。
在您的登录函数中,添加以下代码:
(我假设如果用户想要被记住,$_POST['remember']
将是 = 1,否则为 0)
if ($_POST['remember']) {
$_SESSION['remember'] = $_POST['remember'];
}
然后在函数sec_session_start()
session_start()
后添加以下内容:
...
session_name($session_name);
session_start();
if($_SESSION['remember'] == 1){ session_set_cookie_params(60*60*24*60); }
session_regenerate_id(true);
...
寿命显然可以改变以适应你。我为这个例子选择了 2 个月。
此代码有效地执行的是设置另一个会话,其中包含有关用户是否要记住的信息。
然后,Cookie 最初设置为服务器为会话生存期设置的默认值,但如果记住会话的值为 1,则会将其更改为您设置的生存期。
我还没有对此进行广泛测试,所以如果出现任何问题,请告诉我。