登录后PHP会话似乎不起作用! Wamp - 4个会话创建/登录?

时间:2014-02-19 03:54:35

标签: php mysql windows session wamp

这是我提出的第一个问题所以请原谅我,如果我反对一些礼仪后的礼节 - 我会尽力清楚地解释我的问题,而且我已经搜索过以前的问题,但没有一个与我的问题相符据我所知。

后台:使用Apache 2.4.4和PHP 5.4.12在WAMP服务器2.4上运行 - 如果您需要任何细节,请告诉我。

我一直在研究一个新的webapp项目,并且在尝试让PHP会话正常工作时似乎遇到了问题。我的登录过程如下:

  • 用户提交详细信息并与存储在Mysql数据库中的信息进行交叉检查后,会创建会话并将其重定向到临时受保护的页面。

  • 临时页面检查用户是否具有有效会话,如果是,则显示欢迎消息。

  • 如果用户没有有效会话,则会收到错误消息。

问题:每当我登录(我可能成功添加)时,我都会被重定向并收到错误消息“您无权访问此页面。”

以下是登录过程的代码(process_login.php):

<?php
include_once 'db_connect.php';
include_once 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.

if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.


//Form data error handling.
if ($email == "" || $password == ""){
    echo "login failed";
    exit();

} else {
 //DB stuff.
 $stmt = $mysqli->prepare("SELECT id, username, password, salt 
 FROM members
   WHERE email = ?
    LIMIT 1");  
$stmt->bind_param('s', $email);  // Bind "$email" to parameter.
$stmt->execute();    // Execute the prepared query.
$stmt->store_result();

// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
    if ($stmt->num_rows == 1) {
        // If the user exists we check if the account is locked
        // from too many login attempts 

        if (checkbrute($user_id, $mysqli) == true) {
            // Account is locked 
            // Send an email to user saying their account is locked
            return false;
        } else {
            // Check if the password in the database matches
            // the password the user submitted.
            if ($db_password == $password) {
                // Password is correct!
                // Get the user-agent string of the user.
                $user_browser = $_SERVER['HTTP_USER_AGENT'];
                // XSS protection as we might print this value
                $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                $_SESSION['user_id'] = $user_id;
                // XSS protection as we might print this value
                $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);

                $_SESSION['username'] = $username;
                $_SESSION['login_string'] = hash('sha512', $password . $user_browser);      

                header('Location: ../protected_page.php');
            } else {
                // Login failed 
                // Password is not correct
                // We record this attempt in the database
                $now = time();
                $mysqli->query("INSERT INTO login_attempts(user_id, time)
                                VALUES ('$user_id', '$now')");

                header('Location: ../index.php?error=1');
            }
        } 
}

这是我的session_start函数的代码(sec_session_start())

function sec_session_start() {
$session_name = 'sec_session_id';   // Set a custom session name
$secure = true;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
    header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
    exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
    $cookieParams["path"], 
    $cookieParams["domain"], 
    $secure,
    $httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start();            // Start the PHP session 
session_regenerate_id();    // regenerated the session, delete the old one. 

这是我的临时测试代码(protected_pa​​ge.php); -note我是新手,似乎在发布我的HTML时遇到了麻烦。

<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Secure Login: Protected Page</title>
        <link rel="stylesheet" href="styles/main.css" />
    </head>
    <body>
        <?php if (login_check($mysqli) == true) {?>
            <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
            <p>
                This is an example protected page.  To access this page, users
                must be logged in.  At some stage, we'll also check the role of
                the user, so pages will be able to determine the type of user
                authorised to access the page.
            </p>
            <p>Return to <a href="index.php">login page</a></p>
        <?php } else {?>
            <p>
                <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login</a>.
            </p>
        <?php }?>
    </body>
</html>    

对于可能有所作为的任何其他细节 - 登录表单通过侧边栏加载并发送

非常感谢任何帮助!我对这些东西不熟悉,我花了5个多小时摆弄,似乎无法搞清楚。登录工作,会话代码(据我所知)是有道理的,应该工作 - 呃我。

增加注意:我已经检查了我的C:/ wamp / etc /文件并清除了会话,只是通过登录显然创建了4个会话文件?我认为这必须与它有关。

http://puu.sh/71Lhm.png

1 个答案:

答案 0 :(得分:0)

好的,我最终解决了我自己的问题,但是我要在这里留下答案,因为任何人都有与WAMP类似的问题。 (我认为这是因为我使用的是WAMP)

在我的自定义会话功能(sec_session_start)中,我可以选择启用$ secure。虽然我认为只有在使用HTTPS将它存放在生产服务器上时才能使用它。 (不在我的本地机器上。)我的推理可能是错的,但我更改了

的值
$secure = true;

to

$secure = false;

它有效!巨大的成功。