如何创建安全的php登录系统,从而允许“保持登录状态";功能? [英] how to create a secure php login system, allowing for "keep me logged in" functionality?
问题描述
我使用基于SESSION vars的简单登录系统.用户登录后,将设置一个会话变量,该变量告诉我的脚本该用户将被接受.我不使用任何自定义客户端cookie变量.
I use a simple login system based on SESSION vars. Once the user logs in, a session var is set that tells my script the user is to be accepted in. I don't use any custom clientside cookie var.
我想在登录屏幕上提供全天保持记录"的选项.如何以一种安全的方式做到这一点?
I would like to offer the option on the login screen that says "keep me loggued in the whole day". How does one do that in a secure way?
推荐答案
首先:配置 session.cookie_lifetime 指令,可以在php.ini,配置文件中,也可以通过
First: Configure the session.cookie_lifetime directive, either in php.ini, configuration files, or via session_set_cookie_params().
接下来,在会话中存储用户名和密码的哈希值,并在每个页面上验证该登录名.只要它仍然有效,他们就可以保持登录状态.
Next, store the username and the hash value of the password in the session, and validate that login on every page. As long as it's still valid, they get to stay logged in.
会话cookie的自然到期通常应该使事情保持整洁,因为如果他们保持活动状态,则不会有任何人在会话过程中退出(当然,如果星标对齐了).但是,如果失败了,我会考虑紧跟eCartoth的解决方案,因为您可以在if语句中添加第二行:
The session cookie's natural expiration should generally keep things tidy, as you won't have anyone getting logged out in the middle of their session (if the stars aligned for it, of course) if they keep it active. Failing that, though, I'd consider eCartoth's solution a close second, as you could just add a second line to the if statement:
if (my_validate_user_function($_SESSION['username'],$_SESSION['passhash'])
&& $_SESSION['deathstamp'] > time()
) {
// user is logged in again, oh boy!
}
else {
// send in the death robots
header('Location: /login.php',true,302);
}
您可能要考虑的一件事是会话固定和/或会话劫持.为了防止这种情况,我建议使用以下两种解决方案中的一种(或两种):
One thing you might want to consider is session fixation and/or session hijacking. In order to prevent that, I'd recommend one (or both) of two solutions:
- 在会话中存储用户的IP地址
- 每次成功登录后,使用
session_regenerate_id()尝试.
这篇关于如何创建安全的php登录系统,从而允许“保持登录状态";功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
