我应该添加什么来接近安全和安全的登录和注销?
登录时,我只是从数据库中获取并验证了信息,然后设置了Session和Cookie:
if ($users) { //$users - fetched array of users
foreach ($users as $user) {
$response->headers->setCookie(new Cookie('user', $cookie, $expire, $path = '/', $domain = '', $secure = false, $httpOnly = false));
$response->sendHeaders();
foreach ($user as $key => $value) {
//setting every user information to session except password
$session->set($key, $value);
}
}
}
对于退出,我只删除会话和cookie:
$response->headers->clearCookie('user');
$response->sendHeaders();
$request->getSession()->invalidate();
'用户'我设置为cookie的值由:
生成$password = $user['password']; //is already in md5
$username = $user['email'];
$cookie = base64_encode ("$username:" . md5 ($password));
所有这些都存储在主控制器中。
答案 0 :(得分:0)
这实际上不是登录和注销实施的好方法。看看Symfony2安全教程。使用UserProvider从数据库中获取用户,并在成功时设置安全令牌。
首先 - http://symfony.com/doc/current/cookbook/security/custom_provider.html
MD5功能不再安全。如果你愿意,可以使用比密码更强的东西,以及盐。
答案 1 :(得分:0)
如果您按Symfony cookbook中所述实现了用户提供程序和存储库,则可以以编程方式登录和注销此类用户。
以下是一个示例实现:
<强>登录
$username = $user['email'];
$password = $user['password']; // NOTE: must be plain-text at this point
$User = $this->container->get('doctrine')->getManager()
->getRepository('TixysBackendBundle:User')
->findOneBy(array('login' => $username));
if (!$User) throw \Exception("User not found!");
$factory = $this->container->get('security.encoder_factory');
$encoder = $factory->getEncoder($User);
$password = $encoder->encodePassword($password, $User->getSalt());
if ($password != $User->getPassword())
throw new \Exception("Wrong password.");
// actual login
$token = new UsernamePasswordToken($User, null, 'secured_area', $User->getRoles());
$this->container->get('security.context')->setToken($token);
<强>注销:
$this->container->get('security.context')->setToken(null);
$this->container->get('session')->invalidate();
// If you've stored an instance of the previously authenticated user
// somewhere, destroy that instance, too.
此时您无需关心实际的哈希算法,因为app/config/security.yml中的设置已正确完成。