如何改善我的用户登录方案 [英] How to improve my user login scheme

问题描述

问题既简单又基本.我从事PHP会话已有多年，并且我总是通过这种方式管理用户登录/注销:

Question is easy and basic. I've been working with PHP sessions for years and I always managed user login/logout this way:

1. 开始会话(session_start()调用).
2. 登录:在会话中存储一个值(即$_SESSION["user_id"] = 34).
3. 检查记录的用户:检查会话值(即isset($_SESSION["user_id"])).
4. 注销:销毁会话(session_destroy()调用和unset($_SESSION["user_id"])).

1. Start session (session_start() call).
2. Login: Store a value in the session (i.e. $_SESSION["user_id"] = 34).
3. Check user logged: Check session value (i.e. isset($_SESSION["user_id"])).
4. Logout: destroy session (session_destroy() call and unset($_SESSION["user_id"])).

此方案对于非常简单的应用程序已经有效，但是现在我在更大的应用程序中工作，这种方法有点麻烦.例如，我无法在登录框中实现记住"复选框，因为我可以设置更大的会话cookie到期日期，但是会话会更快结束(未设置$_SESSION["user_id"]).

This scheme has worked for me with very easy applications, but now I'm working in a bigger application and this approach is a bit problematic. For instance, I'm not able to implement the "remember" checkbox in the login box, because I'm able to set a bigger session cookie expiration date, but the session ends sooner ($_SESSION["user_id"] not set).

问题在于，如何改进此方案，或者使用哪种标准方案来管理PHP中的用户会话?

The point is, how can improve this scheme or which is the standard scheme to manage user sessions in PHP?

推荐答案

对于正常的会话，您的方法很好.这里有问题的地方是记住我"功能，与正常会话需要以不同的方式进行处理.

Your approach is very fine for normal sessions. The problematic bit here is a "remember me" functionality, which needs to be handled differently than a normal session.

实现该功能的常用方法是存储第二个cookie，该cookie的到期日期很长，然后在其中放入用户ID和安全哈希.您需要用户ID或其他标识来检测哪个用户回来，但是您还需要安全哈希以确保cookie是您的Web应用程序设置的cookie，并且不是手动制作的. 如果您没有安全的哈希，人们可以发送带有用户ID的自建Cookie，并自动登录.

A common way to implement that functionality is to store a second cookie with a far expiration date and put the user ID plus a secure hash in it. You need the user id or some other identification to detect which user comes back, but you also need the secure hash to be sure that the cookie is the one that your web app set and has not been crafted manually. If you do not have a secure hash, people can sent a self-built cookie with the user ID and automatically get logged in.

因此安全哈希需要包含只有您的Web应用程序知道的信息，即用户创建日期.

So the secure hash needs to contain information that only your web app knows about, i.e. the user creation date.

您可能想要这样做:

$cookieValue = (int)$user->id . ':' . md5($user->creationDate . '/' . $user->passwordHash);

由于creationDate和passwordHash均未更改，因此当用户尝试通过cookie登录时，可以验证安全哈希的有效性.当用户更改密码时，密码哈希会更改，并且用户需要一个新的cookie-在我看来，这很好，因为窃取该cookie的人也将注销.

Since neither creationDate nor passwordHash change, you can verify the validity of the secure hash when the user tries to login via cookie. When the user changed his password, the password hash changes and the user needs a new cookie - which is very fine in my eyes, since people who stole the cookie would also be logged out.

如果您要附加安全性，请使用另一个值创建哈希，即与其他用户数据一起存储的特殊Cookie哈希.您可以完全随机地创建它，并且应该在用户登录时进行更改:

If you want additional security, use another value for hash creation, i.e. a special cookie hash that you store along with the other user data. You can create it completely randomly and should change it whenever the user logs in:

$randomValue = md5(time() . rand() . $user->passwordHash);
$user->setCookieValue($randomValue);
$cookieValue = (int)$user->id . ':' . $randomValue;

现在登录时:

list($userId, $hash) = explode(':', $cookieValue);
$user = loadUser($userId);
if ($user instanceof User && $user->cookieValue == $hash) {
    //user logged in
    //generate and set new cookie value
} else {
    // handle invalid persistent cookie
}

这篇关于如何改善我的用户登录方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！