登录系统概念逻辑? [英] Login system concept & logic?

查看:65
本文介绍了登录系统概念逻辑?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想知道通常Web应用程序在多个请求之间保持登录所遵循的过程,以及它们如何使用COOKIES管理事物.

I want to know the process which usually web apps follow to maintain login between multiple requests and also how they manage things using COOKIES.

在我的登录表单中,我提供了记住我"功能.

In my login form I am providing "Remember Me" feature.

当用户登录时,我从数据库中检查用户名和密码的有效性.如果有效,则我检查是否选择了记住我",如果是,则以会话,加密格式存储用户名和密码.最后将用户名和密码存储在SESSION中.

When user login then I check the username and password validity from database. If its valid then I check if "Remember me" is selected, if yes then storing username and password in session, encrypted format. And finally storing username and password in SESSION.

当用户从一页导航到另一页时,首先运行登录检查脚本,该脚本检查cookie中是否有任何值,然后它验证数据库中的用户名和密码,以检查其有效性.如果cookie中没有值并且会话中有一些值,那么我正在从数据库中获取会话值并检查它.

When user navigates form one page to another, first I run login check script which checks if there is any value in cookies, then it validates that username and password from database, to check its validity. If there is no value in cookie and there is some value in session, then I am fetching session value an dnot checking it from db.

我不是在检查会话值表单db,以免不必要地命中db,从而加快了工作速度.如果使用Cookie,则可以对其进行修改,因此需要进行检查.

I am not checking session value form db to not hit db unnecessarily, speed up the things. In case of cookies, they can be modified, so check is needed.

这就是我的概念,对吗?通常网站会像SO一样,以及其他采用这种方法的作品,都是这样吗?

This is what my concept, is it right? Is it the way to go and normally website slike SO, and other works on this kind of method?

还是网站在每次页面加载时检查登录的真实性,无论是会话中还是cookie中的?

Or websites check login authenticity on each page load, no matters its in session or in cookies?

请检查并给出您对此情况的想法和概念.

Please check and give your thoughts and concepts for this scenario.

谢谢!

推荐答案

首先,仅跟踪是否有人登录.此后,我们将处理记住我"功能.

First, just track if someone is logged in. After that, we'll take care of the "remember me" feature.

要知道是否有人登录,只需查看$_SESSION数组.里面的所有内容都是因为您之前将其放在那里.因此,在处理登录表单时,如果用户名&密码正确,然后在会话($_SESSION['username'] = $username;)中存储用户名,用户ID或其他任何内容.

To know if there's someone logged in, you just look at the $_SESSION array. Everything that's in there is because you put it there before. So, when processing a login form, if username & password are correct, then you store the username, user id or whatever at the session ($_SESSION['username'] = $username;).

每当用户加载任何页面时,您只需检查

Whenever the user loads any page, you just check 

if (isset($_SESSION['username'])) {
    // $_SESSION['username'] is logged in
} else {
    // nobody is logged in
}

无需将密码存储在$_SESSION中(实际上,出于安全目的,最好不要将其存储在数据库中散列的任何位置).

There's no need to store the password in the $_SESSION (in fact, for security purposes, it's better to not store it anywhere except hashed in the database).

现在,记住我"功能...首先,一些注意事项:

Now, the "remember me" feature... First, some considerations:

  • 任何用户都可以修改其浏览器的cookie,因此您需要确保发送到应用程序的cookie未被篡改.
  • 用户可以在公用计算机(库或类似的计算机)上进行检查,因此您需要一个系统来使其无效.
  • 如果用户退出您的应用程序,则必须删除记住他/她的cookie.

关于第一点,想象一下在cookie上存储的用户名将被记住"(非常不安全!).这意味着,如果任何用户为您的Web应用程序创建一个内容为"joe"的cookie,您的应用程序就会认为该计算机上已记住了用户joe,因此就可以授予此攻击者访问权限,就好像他/她是joe.因此,我们需要以某种方式对cookie进行加密/哈希处理.

For the first point, imagine that on the cookie you store the username of the user to be "remembered" (VERY INSECURE!!). That means that if any user creates a cookie for you web application with the content 'joe', your app will think that user joe is remembered in that computer so grant access to this attacker as if he/she were joe. So, we need to crypt/hash the cookie in some way.

第二点,在某些计算机上使记住我"无效,我们将以某种方式使用密码.如果某些用户希望使他/她可能选中记住我"复选框的所有计算机失效,那么他/她要做的就是更改他/她的密码.这也意味着,如果他/她更改密码,出于相同的确切原因,该帐户的所有保存的登录名都将无效.但是比后悔更安全...

For the second point, invalidating "remember me" at some computers, we'll use the password in some way. If some user wants to invalidate all computers where he/she might have checked the "remember me" checkbox, all he/she has to do is change his/her password. That also means that if he/she changes his/her password, all saved logins for his/her account will be invalidated, for the same exact reason. But better safe than sorry...

因此,当您处理登录并且用户名和密码正确时,并且选中了记住我"选项,除了将用户名保存在会话中之外,您还存储用户名&的哈希值.发送给用户的Cookie中的密码(如果需要的话,还可以加上一些盐).另外,您还需要将用户名以纯文本格式存储(或以可逆方式加密),以了解哪个用户正试图通过Cookie登录",并检查用户名&的哈希值. Cookie中包含用户名&的哈希值的密码数据库中的密码.如果该检查正确,则将用户名存储在会话中,并且不再检查该用户的cookie(至少对于此会话而言).

So, when you process a login and the username and password is correct, and the "rememeber me" option is checked, in addition to saving the username in the session, you store a hash of the username & password (and some salt if you will) in a cookie you send to the user. Also you need to store in the cookie the username in plain text (or crypted in a reversable way) to know which user is trying to "log in" via cookie, and check the hash of username & password in the cookie with the hash of username & password in the database. If that check is correct, you then store the username in the session and don't check anymore the cookie of this user (at least for this session).

因此,总体而言,您的代码可能看起来像这样:

So, overall your code might look like this:

login.php 

if (check_login($_POST['username'], $_POST['password'])) {
    // login correct
    $_SESSION['username'] = $_POST['username'];
    if (isset($_POST['remember_me'])) {
        // we hash the password because we **NEVER** store it in plain text anywhere
        // so when we would like to check if the cookie value is correct, we will not
        // be able to do so if the hash in the cookie was done from the plaintext
        // password.
        $value = sprintf('%s:%s', $_POST['username'], md5($_POST['username'].hash_password($_POST['password'])));
        setcookie('rememberme', $value);
    }
    redirect('/your/home/page.php'); // view Post/Redirect/Get design pattern
} else {
    // login incorrect, show error message and whatever...
}

在每个php文件的开头(或者更好的是,在包含的文件中引导您的应用程序) 

if (isset($_SESSION['username'])) {
    // $_SESSION['username'] is logged in, proceed as you wish
} else if (isset($_COOKIE['rememberme'])) {
    // this user has checked the remember me feature some time ago in a previous login.
    // let's check if it is valid.
    list($username, $hash) = explode(':', $_COOKIE['rememberme']);

    // we need to get the password hash stored for this user (remember you **NEVER** store passwords in plain text
    $pwd_hash = obtain_password_hash_from_username($username);
    if ($hash == sprintf('%s:%s', $username, md5($username.$pwd_hash))) {
        // yeah, the user remembered is correct. We'll save it to the session to not do this shit again
        $_SESSION['username'] = $username;
    } else {
        // the cookie value is not correct so maybe an attacker is trying to fool us,
        // or the user changed his password. Whatever it is, we remove the cookie
        // because it's no longer valid
        setcookie('rememberme', '', time() - 3600);
    }

} else {
    // this user is neither logged in nor "remembered"
}

散列用户密码的方法由您决定.您可能喜欢普通的md5或sha,盐腌的md5或sha(更好)或一些耗时的方法,例如河豚(推荐). 为了对cookie进行哈希处理,我使用了普通的md5,但是您可以选择前面介绍的任何方法.

The method to hash the user password is up to you. You might like plain md5 or sha, salted md5 or sha (better) or some time-consuming method like blowfish (recommended). To hash the cookie I've used plain md5, but you may choose any of the method described early.

我认为就这些.

这篇关于登录系统概念逻辑?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆