如何使用Cookie和会话创建安全的登录系统? [英] How to create a secure login system using cookies and sessions?

问题描述

我有一个带有用户名，用户名和密码的mysql表，如果给定的密码与给定的用户名匹配，我会创建3个cookie:

I have a mysql table with userid, usernames and passwords and if the given password matches with the given username I create 3 cookies:

• 用户名
• 用户名
• userpassword(md5)-之所以创建它，是因为当用户保存重要设置(不要求用户填写表格)时，我会从cookie中重新检查密码和用户名.

我听说这是不安全的，我应该仅使用Cookie来存储会话ID，并将这些数据存储在会话中，但是代码看起来如何?

I'we heard that this is not secure and I should use a cookie only to store session id, and to store this data in sessions, but how would look the code for this?

请解释一下代码，因为我是PHP的初学者.哦，我想记住用户很长一段时间，我不喜欢需要再次登录的网站.请帮助我，并向我解释为什么一种方法比其他方法更安全?

And please explain the code, because I'm a beginner in PHP. Oh and I want to remember the users for a long period, I don't like websites where I need to login each time again. Please help me and explain me why is a method more secure than other?

谢谢！

感谢您的回答！我需要解决我的问题:我的网站不需要比简单的论坛更高的安全性，因此有人可以提供仅具有基本安全性级别的代码吗?

Thanks for your answers! I need to compete my question: my website does not require higher security than a simple forum, so can somebody provide a code that has a only basic security level?

推荐答案

首先，当您说要在数据库中存储密码"时，请确保您存储的是 加密的 密码.如果我的密码是"12345"，而您在数据库中存储的是"12345"，则使访问数据库的人可以看到每个人的密码，这真是太糟糕了.

First of all, when you say you're storing "passwords" in the database, please make sure you are storing encrypted passwords. If my password is "12345" and you're storing "12345" in your database, you've made it possible for somebody who gains access to your database to see everybody's passwords, and that's just horrifyingly bad.

因此，至少要使用SHA1或其他某种哈希算法，并将 存储在数据库中.

So, at the very least, use a SHA1 or some other hash algorithm and store that in the database.

但是，关于您的实际问题，PHP支持内置的会话"，因此您不必担心底层机制.

But on to your actual question, PHP has support for "sessions" built in, such that you don't need to worry about the low-level mechanics.

调用脚本顶部的 session_start(); (通常在配置文件或头文件的开头，或随处可见的其他共享脚本的开头)，然后可以存储和检索 $ _ SESSION 超全局数组中的信息.

Call session_start(); at the top of your script (usually near the beginning of your configuration file or header file, or some other shared script that's included everywhere), and then you can store and retrieve information in the $_SESSION superglobal array.

所以您可以写:

$_SESSION['username'] = 'bob';

然后在其他页面上:

echo 'Hello, ' . $_SESSION['username'];

该会话信息将在运行 session_start(); 的任何页面上可用，并且您放入 $ _ SESSION 中的任何内容都会存储 ，因此某人无法仅通过浏览器cookie窥探就可以看到该信息.

That session information will be available on any page where session_start(); has been run, and anything you put in $_SESSION is stored only on the server, so it's not possible for someone to see that information just by snooping through my browser cookies.

但是，这并不意味着会话本质上是完全安全的.会话通过在Cookie中存储会话密钥"来工作，因此我的密钥可能是"946433D47A824675DCB87AA372F31A7D9B255530F87A79264E416C253E9AB00E".每次我访问页面时，PHP都会检索与该键关联的所有 $ _ SESSION 数据，并将其提供给您.

However, that does not mean that sessions are just inherently completely secure. Sessions work by storing a "session key" in a cookie, so my key might be "946433D47A824675DCB87AA372F31A7D9B255530F87A79264E416C253E9AB00E". Every time I visit a page, PHP retrieves all the $_SESSION data associated with that key, and makes it available to you.

但是，如果有人发现了该密钥(例如，再次通过浏览器cookie进行侦听，或者只是通过开放的Wi-Fi网络偷听"了我对服务器的请求)，他们可以发送相同的密钥和PHP会很高兴为他们提供访问我的会话的机会.

But if someone discovers that key (again by, say, snooping through my browser cookies, or just "overhearing" a request I make to the server over an open Wi-Fi network), they could send the same key and PHP would gleefully give them access to my session.

如果仅允许通过https进行通信，则可以大大缓解此问题，但是绝对值得了解正在发生的事情以及在安全至关重要的情况下如何利用它.

If you only allow traffic over https this problem is largely mitigated, but it's still definitely worth understanding what's happening and how it might be exploited in situations where security matters.

这篇关于如何使用Cookie和会话创建安全的登录系统?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！