如何使登录会话更安全?

时间:2012-07-10 15:30:53

标签: php session

我正在为个人项目工作,我正在开发一个简单的登录系统,它具有简单的授权方法,例如is_logged_in,login,register和logout。

我想知道如何才能使我的登录系统免受劫持,中间人和修复?

这是我的代码:

    class Auth extends Session
{
    public $ip_address;
    public $timestamp;
    public $user_agent;

    public function __construct()
    {
        $this->ip_address = $_SERVER['REMOTE_ADDR'];
        $this->user_agent = $_SERVER['HTTP_USER_AGENT'];
        $this->timestamp = date('Y-m-d H:i:s');
    }
    public function login($table = 'users',$username,$password,$username_column = 'username',$password_column = 'password')
    {
        if(!isset($username,$password))
        {
            return FALSE;
        } else {

            $username = mysql_real_escape_string($username);
            $password = md5(strip_tags($password));
            $query = "SELECT * FROM $table WHERE $username_column='$username' AND $password_column='$password'";
            if(mysql_num_rows($query) != 0)
            {
                $session_vars = array(
                    'session_id' => session_id(),
                    'username' => stripcslashes($username),
                    'ip_address' => $this->ip_address,
                    'user_agent' => $this->user_agent,
                    'timestamp' => $this->timestamp
                );
                $this->set_array($session_vars);
                $session_query = "INSERT INTO sessions(session_id,username,ip_address,user_agent,timestamp)";
                $session_query .= "VALUES('".implode(",'",$session_vars)."')";
                mysql_query($session_query) or die(mysql_error());
                return TRUE;

            }else{ 
                return FALSE;
            }
        }

    }

1 个答案:

答案 0 :(得分:0)

劫持/固定:在每个请求上重新生成您的SID。

中间人攻击:使用SSL

对于上帝的爱,通过GETPOST接受会话信息。