新的PHP登录和会议;这是足够安全？ [英] New to PHP logins and sessions; Is this safe enough?

问题描述

我有一个分类网站，我创建一个登录系统...

I have a classifieds website which I am creating a login system for...

在下面的code，以用户名和密码的表单已提交。也有remember_me功能可用（code尚未测试）：

In the code below, a form with "username" and "password" has been submitted to. Also a "remember_me" feature is available (Code is not tested yet):

else if($row['password']===$pass){
    session_start();
    $_SESSION['logged_in'] = '1';
    $remember_me = isset($_POST['remember']) ? $_POST['remember'] : '0';
    if($remember_me=='1'){

        $text = "SECRET_TEXT_AND_NUMBERS_HERE";
        $username= $row['username'];

        $salt1 = sha1($row['alt_username']);
        $salt2 = sha1($text);

        $cookie_value = $salt1.':'.$username.':'.sha1($row['alt_username'].$salt2.$salt1);

        setcookie("s_b", $cookie_value, time()+60*60*24*100, "/");

    }

}

现在，这是code的良好开端登录页面？

Now, is this code a good start for a login page?

此外，一个重要的后续问题这一切，如果用户想留登录，然后做我设置了 $ _ SESSION 变量就像一个在$如果在网站上的所有网页的开头集C $ C，只是检查？

Also, an important follow-up question to all this, if users want to stay logged in, do I then set a $_SESSION variable like the one in the code, and just check if that is set in the beginning of all pages on the site?

 if(isset($_SESSION['logged_in'])) // Then user is logged in already

或者我检查，看看是否在登录页面创建的Cookie设置检查会话呢？

or do I check to see if the cookie created in the login page is set instead of checking the session?

推荐答案

在日志是关于安全;安全总是比较难那么它似乎。

logging in is about security; security is always more difficult then it seems.

有几件事情，你可以提高你的code。第一：

There are a couple of things that you could improve in your code. first:

为您的密码安全性是在hasing算法的强度。您选择使用 SHA1 （比MD5更好的，但可以通过，如果你使用的PHP版本使用SHA256或bCrypt改进> = 5.3）

the security for your password is in the strength of the hasing algorithm. You choose to use sha1 (better than md5, but could be improved by using sha256 or bCrypt if you use PHP version >= 5.3)

第一结果
您使用的盐被认为是一个随机值，存储沿着散列结果。
换句话说，在数据库中存储的值是：

First
The salt you use is supposed to be a random value, stored alongside the hashed result. in other words, the value to store in your database is:

$salt = [some random string of predifend lenght]; // Let's say 16 characters in length
$storedValue = $salt . sha256($salt . $password);

您查询密码：

if ($row['username'] == $_POST['username']  && substr($row['$storedValue'], 16) == sha256(substr($row['$storedValue'], 0, 16) . $_POST['password'])) {
    // login ok
} else {
    // login fail
}

（更好的）结果
使用经过验证的库的密码散列东西，来看看：便携式PHP的密码哈希框架并尝试使用该算法crypt_blowfish的，如果在所有popssible。

(better yet)
Use a proven library for the password hashing stuff, take a look at: Portable PHP password hashing framework and try to use the CRYPT_BLOWFISH algorithm if at all popssible.

二结果
您应该只存储在会话Cookie的会话密钥。所有其他的信息都存储在服务器上。结果
会话cookie是由PHP的在session_start（）函数调用已经发送出去，所以你不必担心这一点了。

Second
You should only store the session key in the session cookie. all other information is stored on the server.
The session cookie is already send out by PHP's session_start() function call, so you do not have to worry about this anymore.

如果您要检查会话的一生中，你应该存储会话数组中这样的信息：

if you want to check the sessions lifetime, you should store this information in the session array:

$_SESSION['lastActivity'] =  time()+60*60*24*100;

第三结果
记住我的标记是一个密码相当于'，所以你应该只在数据库中存储令牌的哈希值，只是把它当作一个密码，只有这个密码是不是由用户输入，但是从cookie读取。

Third
The remember me token is a 'password equivalent' so you should only store a hash of the token in your database, just treat it as a password, only this 'password' is not typed by the user, but read from the cookie.

这篇关于新的PHP登录和会议;这是足够安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！