在哪里可以找到Charles Miller的“Persistent Login Cookie”的PHP / MySQL实现。解? [英] Where can I find a PHP/MySQL implementation of Charles Miller's "Persistent Login Cookie" solution?
问题描述
我曾多次看到Charles Miller的持久性登录Cookie最佳实践这里推荐为在网站上实施记住我功能的绝对最佳方式(如果真的,真的需要该功能,我这样做)。
但是,我已经在网上搜索,我找不到实际的PHP / MySQL代码实现他的解决方案,因为安全强调了关于使用记住我的一个gazillion 次,我恐怕从头开始编写代码,因为我害怕我会误会某事或犯错误,将导致一个巨大的安全漏洞。
由于他的解决方案已经近10年了,恰好是大多数upvoted答案关于持久性登录Cookie的SO,肯定有一些审查的PHP / MySQL代码,正确地遵循他的解决方案没有任何非预期的安全漏洞。 (我发现最接近的是一个Drupal模块,但我不使用Drupal。)
有人知道我在哪里可以找到吗?
在StackOverflow上阅读一个问题后,我受到启发,通过编写一个PHP / MySQL实现Charles Miller的持久登录Cookie最佳实践对于本教程,我将假设您已经有一个PHP用户登录系统。
CREATE TABLE user_sessions $ b user_id INT(11)UNSIGNED NOT NULL,
session VARCHAR(39)NOT NULL,
created TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
PRIMARY KEY(user_id,session)
);
首先,我们需要在您登录时更新网站,此代码将与您当前的登录系统一起使用。
if(/ *验证凭证的代码* /){
// ...将用户登录到会话中的代码
PersistentAuth :: login($ userId);
}
其次,我们要检查网站的新用户是否有Cookie凭据。这段代码将在代码的开头。它检查,首先,我们是否已经登录在我们的$ _SESSION?如果没有,请尝试基于Cookie的登录。
if(/ *!loggedIn()* /&& userId = PersistentAuth :: cookieLogin())){
// ...使用$ userId将用户登录到会话
}
第三,根据Charles Miller的文章,如果用户通过cookie登录,我们不能允许用户访问以下部分:
- 更改用户密码
- 更改用户的电子邮件地址(尤其是在使用基于电子邮件的密码恢复时)
-
代码:
if(PersistentAuth :: isCookieLogin()){
//用户登录cookie,并且无法访问此
//节。我们需要向他们要求密码。也许发送
//他们到一些登录页面?
// TODO请求密码或发送到密码页面
}
$ b b
要获取PersistentAuth类检查的所有代码,请访问我的网站: http:// www.chrislondon.co/php-persistent-login/
使用此PersistentAuth类,您将需要进行一些更改。你必须改变getDb()函数来返回数据库的一个实例。我在这个例子中使用PDO。我为它设置了每一页刷新清除旧会话的数据库。处理这个的最好的方法是使用cron。如果您设置了cron,请在类设置中将USE_CRON标记更改为true
I have seen time and again Charles Miller's "Persistent Login Cookie Best Practice" recommended here as the absolute best way of implementing "Remember me" functionality on a site (if you really, really need that feature, which I do).
However, I've scoured the web and I can't find any actual PHP/MySQL code implementing his solution, and since "security" was stressed about a gazillion times with regard to using "Remember me", I'm afraid to code it myself from scratch for fear that I will misunderstand something or make a mistake that will result in a massive security hole.
Since his solution is almost 10 years old and happens to be the most upvoted answer on SO regarding Persistent Login Cookies, surely there has to be some vetted PHP/MySQL code out there that correctly follows his solution without any unintended security holes. (The closest thing I found was a Drupal module, but I don't use Drupal.)
Does anyone know where I can find it?
After reading a question on StackOverflow I’ve been inspired to help him out by writing a PHP/MySQL implementation of Charles Miller’s "Persistent Login Cookie Best Practice" For this tutorial I’m going to assume you already have a PHP system with user login.
CREATE TABLE user_sessions (
user_id INT(11) UNSIGNED NOT NULL,
session VARCHAR(39) NOT NULL,
created TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
PRIMARY KEY (user_id, session)
);
First, we need to update the site when you login to store the session into the cookie. This code will go with your current login system.
if (/* Code that verifies credentials */) {
// ... code to log user into session
PersistentAuth::login($userId);
}
Second, we want to check if a new user to the site has cookie credentials. This code will go at the beginning of your code. It checks, first, are we already logged in in our $_SESSION? if not, try the cookie-based login.
if (/* !loggedIn() */ && ($userId = PersistentAuth::cookieLogin())) {
// ... use $userId to log user into session
}
Third, in accordance with Charles Miller’s article we cannot allow a user to the following sections if they are logged in via cookie:
- Changing the user’s password
- Changing the user’s email address (especially if email-based password recovery is used)
- Any access to the user’s address, payment details or financial information
- Any ability to make a purchase
Code:
if (PersistentAuth::isCookieLogin()) {
// User is logged in via cookie and don't have access to this
// section. We need to ask them for the password. Maybe send
// them to some login page?
// TODO ask for password or send to a password page
}
To get all the code for the PersistentAuth class checkout my site here: http://www.chrislondon.co/php-persistent-login/
With this PersistentAuth class there are a few changes you will have to make. One you’ll have to change the getDb() function to return an instance of your database. I’m using PDO in this example. I have it set up for every page refresh clear the database of old sessions. The best way to handle this is to use a cron. If you do set up a cron then change the USE_CRON flag to true in the class settings
这篇关于在哪里可以找到Charles Miller的“Persistent Login Cookie”的PHP / MySQL实现。解?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
