什么类型的信息应该保存在Cookie(PHP) [英] What type of information should be saved in a Cookie (PHP)
问题描述
正在建立登入使用者的登入/登出课程,根据使用者的选择设定Cookie。用户输入他们的电子邮件/密码,它检查数据库,电子邮件/密码组合存在一个会话创建,并设置一个cookie(用户id),用户被重定向...我有一个功能,记录用户通过获取保存在该cookie中的用户id,检查该用户id是否存在,然后再次保存用户数据在会话中...我想知道是否有人看到任何潜在的错误/不安全的。
Im making a login/logout class that logs users in, sets cookies based on user's choice. The user enters their email/password and it checks the database, email/password combo exists a session is created, and a cookie is set (with the users id) and the user is redirected... I then have a function that logs users in by taking the user id saved in that cookie, checking whether that user id exists and then saving the users data in a session yet again... i was wondering if anybody see's anything potentialy wrong/unsafe about this.
简单例子,确保你们可以得到它的要点...
Short Example, im sure you guys can get the gist of it...
function login($email, $password, $remember){
// Check the database for email/password combo
if(/*user exists*/){ // if the user exists
$_SESSION = /*User data*/ // save the users data in a session
if($remember){
setcookie('user_id', /*User id*/); // save the user id in a cookie
}
header("location: index.php");// redirect
}
}
function Check_Cookie(){
if(isset($_COOKIE['user_id'])){
return $this->Log_In_ID($_COOKIE['user_id']);
}else{
return false
}
}
function Log_In_ID($id){
//Check the database if the user id exists
if(/*user exists*/){ // if the user exists
$_SESSION = /*User data*/ // save the users data in a session
header("location: index.php");// redirect
}else{
return false;
}
}
这不是一个详细的例子,但确保你可以得到它的要点...有没有人看到任何潜在的错误这一点。如果你们有任何建议id爱听到他们...也,你们使用oop来登录用户,或任何其他方式。
Its not a detailed example of what im trying to ask, but im sure you can get the gist of it... Does anybody see anything potentially wrong with this. If you guys have any recommendations id love to hear them...also, do you guys use oop to log users in, or any other ways.
推荐答案
如果您的用户ID是一个序列号,这是非常不安全的,因为任何人只需将其cookie更改为另一个合理的数字基于自己的(例如,如果我的是1274,我可以尝试一些其他数字在该范围内),并立即欺骗该用户。
If your user ID is a sequential number, this is pretty insecure as anyone can just change their cookie to another reasonable-looking number based on their own (e.g. if mine is 1274, I could try some other numbers in that range) and immediately spoof that user.
与该用户相关联的临时ID,如 GUID 。由于GUID是天文学上独特的并且实际上是防碰撞的,它们也几乎不可能从系统外部猜测或预测。
You would be better off assigning a temporary ID associated with that user, like a GUID. Since GUIDs are astronomically unique and practically collision-proof, they're also virtually impossible to guess or predict from outside the system.
用户登录时,您将创建一个新的GUID并与用户存储:
When the user logs in, you create a new GUID and store that with the user:
UserID TokenID Expires
1274 {3F2504E0-4F89-11D3-9A0C-0305E82C3301} 9/25/2009 12:00:00
当用户返回时,通过令牌查找他们的用户ID,确保令牌没有过期并登录它们。然后更改它们的令牌。
When a user returns, look up their user ID by the token, make sure the token hasn't expired and log them in. Then change their token. This secures you against the following:
- 攻击者无法猜测其他用户的令牌并欺骗他们
- 令牌过期不能通过忽略cookie的过期日期来规避 。
- 由于令牌会不断更改,即使攻击者设法获取用户的Cookie,接管的机会窗口也是非常小。
这篇关于什么类型的信息应该保存在Cookie(PHP)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
