如何保护我的登录页面 [英] How to secure my login page

问题描述

我有一个login.html网页，可让用户输入他的用户名和密码。当他点击提交时，我使用Javascript收集输入的值，然后对php文件进行Ajax POST调用并发送用户名和密码。

I have a login.html webpage that lets user enter his username and password. When he clicks on submit I collect the entered value using Javascript and then make a Ajax POST Call to the php file and send the username and password.

我担心的是，这是一种安全的方式来发送用户名和密码吗？如果不能如何保证将数据从html文件发送到运行后端的php的事务？

My concern here is that is this a safe way of sending username and password ? If not how can i secure this transaction of sending data from html file to php running the backend?

php文件然后连接到MySql Db并检查用户是否退出如果密码正确如果是，它只是将有效文本发送回javascript函数的ajax调用，如果不是我确定它是无效用户？

The php file then connects to the MySql Db and checks if the user exits and if the password is correct If Yes it simply sends a Valid text back to the ajax calls to the javascript function if not I determine it is an invalid user ?

我对这个逻辑不太满意吗？有没有更好的方法来实现这个过程？由于我将我的代码投入生产，我希望尽可能地保护它。

I am not quite happy with this logic ? Is there a better way to implement this process ? Since i am putting my code to production I want to secure it as much as possible.

以下代码工作正常我只需要提示来保护它。

The below code works fine i just need tips to secure it.

login.html

login.html

<div>
    <h3>Login information</h3>

    <input type="text" name="user" id="usrnm" placeholder="Username/Email">
    <input type="password" name="pswdlogin" id="pswdlogin" placeholder="Password">
    <input type="checkbox" name="keepmeloggedin" id="keepmeloggedin" value="1" data-mini="true">
    <input type="submit" data-inline="false" onclick="logmein()" value="Log in">
    <div id="loginstatus">    </div>
 </div>

logmein.js

logmein.js

function logmein() {

  var usrnm = document.getElementById("usrnm").value;
  var pswdlogin = document.getElementById("pswdlogin").value;

  $.post("http://xyz/mobile/php/logmein.php",
    {
      usrnm: usrnm,
      pswdlogin: pswdlogin
    },
    function(data, status) {

      if (data == 'Valid') {

        window.open("http://xyz/mobile/home.html?email=" + usrnm + "", "_parent");

      } else {
        alert(data);
        document.getElementById("loginstatus").innerHTML = data;
      }
    });
}

logmein.php

logmein.php

<?php

$usrnm_original = $_POST['usrnm'];
$pswdlogin_original = $_POST['pswdlogin'];

$con = mysqli_connect("localhost", "cSDEqLj", "4GFU7vT", "dbname", "3306");

if (mysqli_connect_errno())
    {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }

mysqli_select_db($con, "dbname");
$usrnm = mysqli_real_escape_string($con, $usrnm_original);
$pswdlogin = mysqli_real_escape_string($con, $pswdlogin_original);

$result = mysqli_query($con, "SELECT * FROM registration WHERE email = '" . $usrnm . "' AND password='" . $pswdlogin . "' ");
$rows = mysqli_num_rows($result);

if ($rows == 1)
    {
    echo "Valid";
    }
  else
    {
    echo "In Valid Credentials Entered";
    }

mysqli_close($con);
?>

推荐答案

这真的属于codereview.stackexchange.com，但是无论如何我都会试一试。

This really belongs on codereview.stackexchange.com, but I'll give it a shot anyway.

首先，我会在你的表单中添加一个csrf令牌来阻止这些类型的攻击。<​​/ p>

Firstly, I'd add a csrf token to your form to stop those types of attacks.

//the most simple type of csrf token
if (!isset($_SESSION['token'])):
    $token = md5(uniqid(rand(), TRUE));
    $_SESSION['token'] = $token;
else:
    $token = $_SESSION['token'];
endif;

然后在您的表单中，包含一个隐藏的输入字段：

Then in your form, include a hidden input field:

<input type="hidden" name="token" id="token" value="<?php echo $token; ?>"/>

然后在你的ajax中添加令牌。

Then in your ajax, add the token.

var usrnm = $('#usrnm').val();
var pswdlogin = $('#pswdlogin').val();
var token = $('#token').val();

{
    usrnm: usrnm,
    pswdlogin: pswdlogin,
    token: token
}

然后在你的php中，让我们直接停止访问该页面的未定义索引错误。

Then in your php, let's stop the undefined index errors on access of that page directly.

$usrnm_original = isset($_POST['usrnm'])?$_POST['usrnm']:false;
$pswdlogin_original = isset($_POST['pswdlogin'])?$_POST['pswdlogin']:false;
$token = isset($_POST['token'])$_POST['token']:false;

然后我们需要检查传递的令牌是否与我们的令牌相同

Then we need to check if the token that was passed is the same as our token

if(!$_SESSION['token'] == $token):
    die('CSRF Attacks are not allowed.');
endif;

然后我们需要停止使用 mysqli_query 接受用户数据，即使使用 mysqli_real_escape_string 进行清理，而是使用准备好的语句。此外，程序式代码让我哭泣，所以我们将改变它。此外，让我们返回一个包含状态和消息的数组，这样就可以更轻松地处理错误和成功报告。

Then we need to stop using mysqli_query when accepting user data, even if sanitizing with mysqli_real_escape_string and instead use prepared statements. Also, procedural style code makes me cry, so we'll be changing that. Furthermore, let's return an array with a status and a message, so it's easier to handle the error and success reporting.

$ret = array();
$mysqli = new mysqli("localhost", "cSDEqLj", "4GFU7vT", "dbname");

if($sql = $mysqli->prepare('SELECT * FROM registration WHERE email = ? and password = ?')):
    $sql->bind_param('ss', $usrnm_original, $pswd_original);

    if($sql->execute()):

        $sql->fetch();

        if($sql->num_rows > 0):
            $ret['status'] = true;
            $ret['msg'] = 'You have successfully logged in! Redirecting you now';
        else:
            $ret['status'] = false;
            $ret['msg'] = 'The credentials supplied were incorrect. Please try again';
        endif;
    endif;
    $sql->close();
    return json_encode($ret);
endif;

现在我们需要修改你的帖子功能。

Now we need to modify your post function.

$.post("http://xyz/mobile/php/logmein.php",
{
  usrnm: usrnm,
  pswdlogin: pswdlogin,
  token:token
},
function(data) {

  if (data.status == true) {

    window.open("http://xyz/mobile/home.html?email=" + usrnm + "", "_parent");

  } else {
    alert(data.msg);
    $('#loginstatus').text(data.msg);
  }
}, 'json');

最后，最重要的是，您使用的是纯文本密码方法，这没有任何意义从安全角度来看。这正是你被黑客攻击的方式。相反，您应该至少使用 sha256 哈希方法。更改密码在数据库中的存储方式以使用 sha256 然后通过将其传递到SQL选择器进行比较，例如：

Finally, and most importantly, you have a plain text method of passwords being used, which makes no sense from a security perspective. This is precisely how you get hacked. Instead, you should be using at least the sha256 hashing method. Change how the passwords are stored in the database to use sha256 then make a comparison by passing that into the SQL selector, example:

$pswdlogin_original = isset($_POST['pswdlogin'])? hash('sha256', $_POST['pswdlogin']):false;

当保存在数据库中时，密码将显示为 fcec91509759ad995c2cd14bcb26b2720993faf61c29d379b270d442d92290eb 。

And when saved in the database, the password will look like fcec91509759ad995c2cd14bcb26b2720993faf61c29d379b270d442d92290eb for instance.

我的回答是为了清楚起见，但实际上，你甚至不应该重新发明一些事情。有大量的应用程序和框架可以保护他们的身份验证系统无数个小时。我建议看看所有这些，因为它们将有助于建立你的核心编程技能并教授基本的OOP实践

My answer has been for clarity sake, but in reality, you shouldn't even be reinventing things. There's plenty of applications and framework's out there that have placed countless hours into securing their authentication systems. I would recommend having a look into all of these, as they'll help build your core programming skills and teach fundamental OOP practices

• Lararvel 4.x


• Zend 2


• Phalcon


• 易

• Lararvel 4.x
• Zend 2
• Phalcon
• Yi

希望这有用。

这篇关于如何保护我的登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！