如何改进此登录/会话代码?

时间:2013-11-17 21:19:34

标签: php security session login

我一直关注a tutorial on how to create a login system with a session,因此除非创建了会话,否则无法访问页面。目前它很简单而且不安全。

问题:如何改进此代码(下图)以使会话更安全?如果您知道关于我可以关注的登录安全会话的教程,请发布链接!感谢。

CODE:

checkLogin.php:

<!--Include Database connections info-->
<?php include('config.php'); ?>

<?php
    // username and password sent from form 
    $myusername=$_POST['myusername'];   
    $mypassword=$_POST['mypassword']; 

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);

    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);

    $sql="SELECT username, password FROM users WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);

    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1) {

        session_start();
        session_register("myusername");
        session_register("mypassword"); 
        header("location:login_success.php?");
        exit;
    }

    else {
        echo "Wrong Username or Password";
    }
?>

login_success.php:

<?php
    session_start();
    if(!isset($_SESSION['userid'])) {
        header("location:main_login.html");
        exit;
    }

    if(isset($_SESSION['userid'])) {
        header("location:index.php");
        exit;
    }   
?>

2 个答案:

答案 0 :(得分:1)

<?php

    $myusername=$_POST['myusername'];   
    $mypassword=$_POST['mypassword']; 

    $mysqli = new mysqli("localhost", "root", "password", "DataBase");

    // Check Connection
    if (!mysqli_connect_errno()) 
    {
        printf("Connect failed");
        exit();
    }

    // Move to MySQL(i) as MySQL is now obslete and use Prepare statment for protecting against SQL Injection in better and easier way
    $stmt = $mysqli->prepare('SELECT username FROM users WHERE username= ? and password= ?');

    $stmt->bind_param("ss", $myusername, $mypassword);
    //ss means expecting a variable of type string

    $stmt->execute();

    $count=mysqli_stmt::$num_rows($stmt);

    if($count>0) 
    {
        session_start();
        //Session Register is now history better go with
        $_SESSION['userid'] = $myusername;
        $_SESSION['mypassword'] = $mypassword;
        header("location:index.php");
    }

    else 
    {
        echo "Wrong Username or Password";
    }
?>

而不是重定向到 login_success.php ,而只是重定向到 index.php 

session_start();
if(!isset($_SESSION['userid'])) {
    header("location:main_login.html");
    exit;
}

答案 1 :(得分:0)

看起来不推荐使用session_register,建议通过php.net deprecated info注册会话变量:

$_SESSION["session_var_name"] = "value";

我认为在会话中存储实际密码值并不好。我无法想到这样做的好处。

您需要做的就是在会话中存储用户已成功通过身份验证的内容。

以下是您可以在session_start()

下使用的代码示例 
$_SESSION['logged_in_user'] = $myusername;
$_SESSION['logged_in_user_session'] = session_id();

接下来是示例逻辑,您可以使用它来检查用户是否在整个应用程序中进行了身份验证。

session_start();

// verify login
if (isset($_SESSION['logged_in_user']) && isset($_SESSION['logged_in_user_session'])) {
    if ($_SESSION['logged_in_user_session'] != session_id()) {
        // error: login
        header("Location: error_or_login_page.php");
        exit();
    }
}
相关问题
最新问题