几天前我向我的网站的身份验证系统实施了cookie功能,基本上身份验证系统使用会话和cookie来检查身份验证。这一切都很好,但今天我发现了一个奇怪的问题。在我关闭并重新打开浏览器之后,cookie仍然在浏览器中,但我没有通过身份验证。截至目前我只有三页index.php在根文件夹中,然后在分类目录中分类.php(classifieds / index.php),然后在用户目录中的login.php(users / login.php) ..所以会发生什么,在我重新启动浏览器并浏览index.php之后,我没有通过身份验证,与classified.php相同,但login.php验证了我。奇怪的是它都使用相同的代码..我玩了一下,检查问题是否与文件包含但这不是这里的情况..
这是header.php(包含在所有三个文件中)
<?php
//header.php
// if cookie is set, authenticate directly
if (isset($_COOKIE['AUTH'])) {
include_once("../includes/initialize.php"); // requires and initializes all the necessary functions and classes
// cookie is set, lets see if its vailed and log someone in
global $database;
global $salt;
$now = time();
list($identifier, $token) = explode(':', $_COOKIE['AUTH']);
if (ctype_alnum($identifier) && ctype_alnum($token)) {
$user = User::find_by_identifier($identifier);
if ($token != $user->token) {
setcookie ("AUTH", "", time() - 3600);
session_destroy();
// echo "wrong token";
// fail because the key doesn't match
} elseif ($now > $user->timeout) {
setcookie ("AUTH", "", time() - 3600);
session_destroy();
// echo "timeout";
// fail because the cookie has expired
} elseif ($identifier!= md5($salt.md5($user->id.$salt))) {
// fail because the identifiers does not match
setcookie ("AUTH", "", time() - 3600);
session_destroy();
// echo "wrong identifier";
} else {
/* Success */
// $found_user = User::cookie_authenticate($user->email, $user->passwor,$ip);
$session->cookie_login($user);
}
} else {
/* failed because the information is not in the correct format in the cookie */
setcookie ("AUTH", "", time() - 3600);
session_destroy();
}
}
?>
index.php
<?php
//index.php
include_once("includes/initialize.php"); // requires and initializes all the necessary functions and classes
include_template("header.php");
?>
users/login.php
<?php
//login.php
include("../includes/initialize.php"); // requires and initializes all the necessary functions and classes
//if aready logged in
if($session->is_logged_in()) {
$session->message("<script> TINY.box.show({html:'You are already logged in!',animate:false,close:false,mask:false,boxid:'error',autohide:3,top:-14,left:-17})</script>");
redirect_to("../index.php");
}
include_template("header.php");
?>
我在index.php中注意到的是,即使浏览器已保存AUTH cookie
if(isset($_COOKIE['auth']))
isset函数并不真正检查cookie是否在index.php中设置,但是login.php确实..好吧,我发布更多代码,因为我知道问题不在于登录类或cookie类。正如我所说,login.php会对cookie进行身份验证。
第一个问题是为什么index.php并没有真正通过isset($ _ COOKIE ['AUTH']))函数,虽然在浏览器中设置了cookie AUTH?
第二个是,为什么login.php传递相同的isset cookie函数,即使两者都包含写入isset函数的相同header.php文件。
我希望我明白这个问题,我尽可能多地尝试..抱歉,我提问这个问题的能力很差..
public static function authenticate($username="", $password="",$ip) { //login function to authenticate user
global $database;
$username = $database->escape_value($username);
$password = $database->escape_value(sha1($password));
$ip = $_SERVER['REMOTE_ADDR'];
$identifier = md5( $salt . md5($username . $salt ) );
$query = $database->query("SELECT id FROM ".static::$table_name." WHERE ip = '$ip' AND banned = '1'");
if ($database->num_rows($query) >= 1 ) { //change to 1
echo "<div class=\"warning\"> Your IP has been blocked, Possible Spam attempts. Please contact the Admin for further details.</div>";
} else {
$sql = "SELECT * FROM ".static::$table_name." ";
$sql .= "WHERE email = '{$username}' ";
$sql .= "AND password = '{$password}' ";
// $sql .= "AND active = '1' ";
$sql .= "LIMIT 1";
$result_array = self::find_by_sql($sql);
return !empty($result_array) ? array_shift($result_array) : false;
}
}
public function login($user) {
// database should find user based on username/password
if($user){
User::set_login_time($user->id); // set logged in time and identifier
User::set_cookie_details($user->id); // set cookie expiration time and token
$this->user_id = $_SESSION['user_id'] = $user->id;
$this->username = $_SESSION['username'] = $user->username;
$this->user_level = $_SESSION['user_level'] = $user->level;
$this->banned = $_SESSION['user_banned'] ;
$this->logged_in = true;
}
}
public function is_logged_in() {
return $this->logged_in;
}
public function cookie_login($user) {
// if cookie is set, check and match the cookies identifier and token with the stored identifier and token in the database
// if it matches then login without credentials
$this->user_id = $_SESSION['user_id'] = $user->id;
$this->username = $_SESSION['username'] = $user->username;
$this->user_level = $_SESSION['user_level'] = $user->level;
$this->banned = $_SESSION['user_banned'] ;
$this->logged_in = true;
}
public static function set_login_time($user_id) {
global $database;
global $salt;
$identifier = md5( $salt . md5($user_id . $salt ));
$time = time();
$sql = "UPDATE ".static::$table_name." SET modified = '$time',identifier = '$identifier' WHERE id = '{$user_id}' LIMIT 1 ";
$database->query($sql);
return ($database->affected_rows() == 1) ? true : false;
}
public static function set_cookie_details($user_id) {
global $database;
$user = self::find_by_id($user_id);
$identifier = $user->identifier;
$key = md5(uniqid(rand(), true));
$timeout = time() + 60 * 60 * 24 * 7; // 1 week
setcookie('AUTH', "$identifier:$key", $timeout);
$sql = "UPDATE ".static::$table_name." SET token = '$key', timeout = '$timeout' WHERE id = '{$user_id}' LIMIT 1 ";
$database->query($sql);
return ($database->affected_rows() == 1) ? true : false;
}
$user = User::authenticate($username, $password,$ip); // if returned true
$session->login($user);