具有多个域和子域的 PHP 身份验证 [英] PHP authentication with multiple domains and subdomains
问题描述
我有一个主域:main.com
,子域:test1.main.com
、test2.main.com
和其他域one.com
, two.com
.
现在是这样完成的:
ini_set("session.cookie_domain", ".main.com");$domain = 'main.com';
登录.php
$user = $db->query("SELECT id, login from users WHERE email=? AND password=?",数组($email, $password), "rowassoc");如果($用户){$_SESSION['user_id'] = $user['id'];$_SESSION['user_name'] = $user['login'];$时间 = 100000;setcookie('email', $email, time() + $time, "/", "." . $domain);setcookie('password', $password, time() + $time, "/", "." . $domain);header('Location: http://' . $user['login'] . "." . $domain);出口;}
在每个页面上添加:
if(!isset($_SESSION['user_id'])){if(isset($_COOKIE['email']) &&isset($_COOKIE['password'])){$email = $_COOKIE['email'];$password = $_COOKIE['密码'];$user = $db->query("SELECT id, login from users WHERE email=? AND password=?",数组($email, $password), "rowassoc");如果($用户){$_SESSION['user_id'] = $user['id'];$_SESSION['user_name'] = $user['login'];}}}别的{$user = $db->query("SELECT id, login from users WHERE id=?",数组($_SESSION['user_id']),rowassoc");如果(!$用户){setcookie('email', '', time() , "/", "." . $domain);setcookie('password', '', time(), "/", "." . $domain);未设置($_SESSION['user_id']);session_destroy();setcookie("PHPSESSID","",time(), "/", "." . $domain);}别的{$_SESSION['user_id'] = $user['id'];$_SESSION['user_name'] = $user['login'];}}
logout.php
if(isset($_SESSION['user_id'])){setcookie('email', '', time() , "/", "." . $domain);setcookie('password', '', time(), "/", "." . $domain);未设置($_SESSION['user_id']);未设置($_SESSION['user_name']);session_destroy();setcookie("PHPSESSID","",time(), "/", "." . $domain);header('位置:/main');出口;}
但它仅适用于域 main.com
及其子域 test1.main.com
、test2.main.com
.>
我需要以某种方式保存会话和其他域 one.com
、two.com
.
如何最好地进行安全身份验证,如果有解决方案,我真的很困惑,请举例说明.
据我所知,子域之间的跨会话很好,但它不会延续到一个全新的域.为此,您需要某种集中式数据方法或 API.
数据库方法:您必须创建一个远程 MySQL 数据访问,以便 domain2.com 可以访问 domain1.com 上的数据库.执行登录时,不仅应创建新会话,而且应将唯一的登录令牌(具有到期时间)放入 mysql 数据库.现在,对于从 domain1.com 到 domain2.com 的每个链接,您应该添加一个 $_GET 变量,该变量包含一个随机生成的会话 ID(md5 哈希就可以).domain2.com 收到访问者后,将获取 $_GET 变量,通过 MySQL 数据库运行它以查找登录令牌,如果匹配,则认为该用户已登录(并且可能嵌入 $_COOKIE 作为以及存储登录数据).这将使登录可以在两个完全不同的域之间转移.
API 方法:您需要创建一个 API 方法,以便 domain1.com 可以响应来自授权域的外部请求,以在用户被转发时检索登录令牌.此方法还要求所有从 domain1.com 到 domain2.com 的链接附加 $_GET 变量以传递唯一的会话哈希.然后在收到访问者后,domain2.com 将对 domain1.com/userapi.php(或任何您调用的文件)发出 curl() 请求,并且应该针对数据库中的内容测试变量.
这是我能解释的最好的了..用代码写出来是一项重要的工作,所以我不能提交.但是从你的代码来看,你对 PHP 有很好的理解,所以我相信你会成功的!
祝你好运.
I have one main domain: main.com
, subdomains: test1.main.com
, test2.main.com
and other domains one.com
, two.com
.
Now it's done like these:
ini_set("session.cookie_domain", ".main.com");
$domain = 'main.com';
login.php
$user = $db->query("SELECT id, login FROM users WHERE email=? AND password=?",
array($email, $password), "rowassoc");
if($user)
{
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = $user['login'];
$time = 100000;
setcookie('email', $email, time() + $time, "/", "." . $domain);
setcookie('password', $password, time() + $time, "/", "." . $domain);
header('Location: http://' . $user['login'] . "." . $domain);
exit;
}
added on each page:
if(!isset($_SESSION['user_id']))
{
if(isset($_COOKIE['email']) && isset($_COOKIE['password']))
{
$email = $_COOKIE['email'];
$password = $_COOKIE['password'];
$user = $db->query("SELECT id, login FROM users WHERE email=? AND password=?",
array($email, $password), "rowassoc");
if($user)
{
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = $user['login'];
}
}
}
else
{
$user = $db->query("SELECT id, login FROM users WHERE id=?",
array($_SESSION['user_id']), "rowassoc");
if(!$user)
{
setcookie('email', '', time() , "/", "." . $domain);
setcookie('password', '', time() , "/", "." . $domain);
unset($_SESSION['user_id']);
session_destroy();
setcookie("PHPSESSID","",time(), "/", "." . $domain);
}
else
{
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = $user['login'];
}
}
logout.php
if(isset($_SESSION['user_id']))
{
setcookie('email', '', time() , "/", "." . $domain);
setcookie('password', '', time() , "/", "." . $domain);
unset($_SESSION['user_id']);
unset($_SESSION['user_name']);
session_destroy();
setcookie("PHPSESSID","",time(), "/", "." . $domain);
header('Location: /main');
exit;
}
But it works only on domain main.com
and its subdomains test1.main.com
, test2.main.com
.
I need to somehow save the session and on other domains one.com
, two.com
.
How best to do safe authentication, if there are solutions, i really confused, please tell with example.
As far as I know, crossing sessions between sub-domains is fine, but it won't carry over to a whole new domain. To do that you need some sort of centralized data method, or an API.
Database method: you will have to create a remote MySQL data access so that domain2.com can access the database on domain1.com. When a log-in is performed, not only should it create a new session, but a unique log-in token (with an expiry time) should be put into the mysql database. Now, for every link that goes from domain1.com to domain2.com, you should add a $_GET variable that contains a randomly generated session id (md5 hash will do). domain2.com, upon receiving the visitor, will take the $_GET variable, run it through the MySQL database to find the login token, and if there is a match, consider that user to be logged on (and perhaps embed a $_COOKIE as well to store the login data). This will make the log-in transferrable between two completely different domains.
API method: you need to create an API method, so that domain1.com can respond to an external request from authorized domains to retrieve the login token upon a user being forwarded. This method will also require that all links going from domain1.com to domain2.com to be appended with a $_GET variable to pass the unique session hash. Then upon receiving the visitor, domain2.com will do a curl() request to domain1.com/userapi.php (or whatever you call the file) and the variables should be tested against what's in the database.
This is the best I can explain it.. to write this out in code is a significant piece of work so I cannot commit. But judging by your code, you have a very good understanding of PHP so I'm confident you will pull this off!
Good luck mate.
这篇关于具有多个域和子域的 PHP 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!