我在一个个人项目中工作,我正在开发一个简单的登录系统,该系统具有简单的授权方法,如is_loged_in、登录、注册和注销。
我想知道如何使我的登录系统免受劫持,中间人和修正?
这是我的代码:
class Auth extends Session
{
public $ip_address;
public $timestamp;
public $user_agent;
public function __construct()
{
$this->ip_address = $_SERVER['REMOTE_ADDR'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];
$this->timestamp = date('Y-m-d H:i:s');
}
public function login($table = 'users',$username,$password,$username_column = 'username',$password_column = 'password')
{
if(!isset($username,$password))
{
return FALSE;
} else {
$username = mysql_real_escape_string($username);
$password = md5(strip_tags($password));
$query = "SELECT * FROM $table WHERE $username_column='$username' AND $password_column='$password'";
if(mysql_num_rows($query) != 0)
{
$session_vars = array(
'session_id' => session_id(),
'username' => stripcslashes($username),
'ip_address' => $this->ip_address,
'user_agent' => $this->user_agent,
'timestamp' => $this->timestamp
);
$this->set_array($session_vars);
$session_query = "INSERT INTO sessions(session_id,username,ip_address,user_agent,timestamp)";
$session_query .= "VALUES('".implode(",'",$session_vars)."')";
mysql_query($session_query) or die(mysql_error());
return TRUE;
}else{
return FALSE;
}
}
}
劫持/固定:根据每个请求重新生成SID。
中间人攻击:使用SSL
出于上帝的爱,不要通过GET或POST接受会话信息。