我正在使用强力检查器构建登录脚本,当触发时,会显示reCAPTCHA。我遇到的问题是,当输入正确的用户名/密码/验证码响应时,登录脚本会运行,但直到大部分页面内容已加载(这在提交表单后发生)。结果是我必须按F5刷新页面并重新提交表单数据,以便在页面开始加载时会话处于活动状态。
现在,我遇到的问题是,一旦表单被提交(当它需要CAPTCHA时),会话才开始,直到index.php到达
else {
$captchaResponse = 1;
$auth = Auth::verifyPass($userName,$password,$captchaResponse);
}
我很难过如何重新组织这个,以便会话在此之前开始。有什么想法吗?
第一部分是index.php页面,其中包含在检测到强力尝试时触发的代码。代码的这一部分以条件if开头($ auth ===“bruteForce”)此代码显示reCAPTCHA并且应该提交用户名,密码和reCAPTCHA响应代码(0-错误响应,1-正确响应)登录功能。
<?php
include('includes/header.php');
spl_autoload_register(function ($class){
include 'includes/class.' . $class . '.php';
});
if(null !==(filter_input(INPUT_POST,'userName'))){$userName = filter_input(INPUT_POST,'userName');}
if(null !==(filter_input(INPUT_POST,'password'))){$password = filter_input(INPUT_POST,'password');}
if(isset($userName)&& isset($password)){
$auth = Auth::verifyPass($userName,$password);
}
if(isset($_GET['logout']) && $_GET['logout'] == true){
session_start();
session_destroy();
setcookie ("PHPSESSID", "", time() - 3600, "/");
header("Location: index.php");
}
if(Auth::checkLoggedIn() === true){
if(session_id() !== ''){echo 'Session ID is not blank<br />';}
echo '<a href="index.php?logout=true">Logout</a><br />';
echo 'Welcome! This is protected content!' . "<br />";
}
if(!Auth::checkLoggedIn()) :
?>
<h1>Sign In</h1>
<?php if(isset($userName) && isset($password)){if($auth === "invalidPassword"){echo '<span class="error">Invalid username or password</span>';}} ?>
<form name="login" method="post" action="index.php" id="loginForm">
<ul>
<li>
<input placeholder="Username" type="text" name="userName" id="userName" class="login" />
</li>
<li>
<input placeholder="Password" type="password" name="password" id="password" class="login" />
</li>
<?php
if(isset($userName) && isset($password)){
echo $auth . "<br />";
if($auth === "bruteForce"){
echo $auth;
require_once('includes/recaptchalib.php');
// Get a key from https://www.google.com/recaptcha/admin/create
$publickey = "xxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
$privatekey = "xxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
$resp = null;
$error = null;
if(isset($_POST["recaptcha_response_field"])){
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if ($resp->is_valid) {
Auth::checkLoggedIn();
$auth = Auth::verifyPass($userName,$password,1);
} else {
$auth = Auth::verifyPass($userName,$password,0);
//$captchaResponse = 2;
}
}
echo recaptcha_get_html($publickey, $error);
if($auth === "invalidCaptcha"){
echo "Invalid Captcha Response. Please try again.";
}
}
}
if(isset($auth)){echo $auth;}
?>
<div class="clearAll"> </div>
<li id="submit">
<input type="submit" value="Login" id="loginBtn" class="login" />
</li>
<li id="reset">
<input type="reset" value="Reset" id="resetBtn" class="login" />
</li>
</ul>
</form>
<div class="clearAll"> </div>
<h1>New User?</h1>
<p><a href="register.php">Sign Up!</a></p>
<?php endif; ?>
<div class="clearAll"> </div>
<?php include('includes/footer.php'); ?>
</body>
</html>
这是登录功能
public static function verifyPass($username,$password,$captchaResponse = 3){
$authenticatedUser = FALSE;
$bruteTest = self::_bruteTest($username);
if($bruteTest === TRUE && $captchaResponse === 3){
$status = "bruteForce";
return $status;
} else if($bruteTest === TRUE && $captchaResponse === 0){
//The brute force check was positive and the captcha response failed
//Don't even try to log in because the captcha failed.
$status = "invalidCaptcha";
return $status;
} else if ($bruteTest === TRUE && $captchaResponse === 1){
//The brute force check was positive and the captcha response was successful
//Try to log in now.
$continueLogin = TRUE;
} else if($bruteTest === FALSE){
//The bruteTest was negative, proceed with login.
$continueLogin = TRUE;
}
if($continueLogin === TRUE){
try{
$connection = Database::getDbConnection();
if($connection){
$query = "SELECT usr_name, usr_pass, usr_salt, uid, email_pri FROM users WHERE usr_name=? LIMIT 1";
$stmt = $connection->prepare($query);
$stmt->execute(array($username));
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
if($stmt->rowCount() === 0){$authenticatedUser = FALSE;} //Username was not found We are not going to say which was incorrect, only that the "username or password was incorrect"
if($results){
$resultsArray = $results[0];
$connection = null;
echo "<br />";
$dbUserName = $resultsArray['usr_name'];
$dbPass = $resultsArray['usr_pass'];
$dbSalt = $resultsArray['usr_salt'];
$dbUid = $resultsArray['uid'];
$dbEmail = $resultsArray['email_pri'];
$passHash = hash('sha512',$password);
$passToCheck = hash('sha512',$dbSalt.$passHash);
if($passToCheck != $dbPass){
$authenticatedUser = FALSE; //Password did not match. We are not going to say which was incorrect, only that the "username or password was incorrect"
} else if ($passToCheck === $dbPass && $username === $dbUserName){
$authenticatedUser = TRUE;
}
}
}else if(!$results){$authenticatedUser = FALSE;}
} catch (PDOException $e) {
echo "Error: " . $e->getMessage() . "<br />";
die();
}
try{
if($authenticatedUser === FALSE){
//Log the failed attempt into the database
$remoteIp = $_SERVER['REMOTE_ADDR'];
try {
$connection = Database::getDbConnection();
if($connection){
$query = "INSERT INTO `login_attempts`(`usr_name`, `usr_ip`) VALUES (:usr_name,INET_ATON(:usr_ip))";
$stmt = $connection->prepare($query);
$stmt->execute(array(':usr_name' => $username, ':usr_ip' => $remoteIp));
}
$connection = null;
} catch (PDOException $e){
echo "Error: " . $e->getMessage() . "<br />";
die();
}
$status = "invalidPassword";
return $status;
exit();
}else if($authenticatedUser === TRUE){
//Clear login attempts from the database
self::_clearAttempts($username);
//Start the session (if not already started somehow. session and cookie expiration need to be adjusted so that the session does not persist after browser close)
if(!isset($_SESSION)){
session_start();
}
//Set the session variables
$_SESSION['userIp'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userName'] = $dbUserName;
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
$session_name = 'sec_session_id';
$httponly = TRUE;
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$httponly);
session_name($session_name);
}
} catch (PDOException $e) {
echo "Error: " . $e->getMessage() . "<br />";
die();
}
//End $continueLogin statement below
}
}
答案 0 :(得分:1)
移动它:
if(!isset($_SESSION)){
session_start();
}
到你的脚本顶部并试一试。
或只是:
session_start();
答案 1 :(得分:0)
如上所述:在页面顶部的session_start(或者甚至将其配置为自动添加到每个php脚本,在PHP ini中使用session_auto_start = 1)将导致在脚本启动时加载会话数据
然后,您可以在同一个地方测试您测试的空用户名和密码,对于某些变量,如$ session ['lastPasswordWasInvalid'],如果已设置,请检查验证码是否为空。