我已阅读很多关于安全cookie的文章,并下载了大量代码示例。我试图将它集成到我的登录系统中但是徒劳无功。
我有会议,他们工作得很好。
我也在这里使用PHP PDO,因为它比mysqli更安全。我不知道它是否会影响cookie集成。
让我向您展示我尝试集成Cookie的代码。
的login.php
<html>
<head>
<?php
require_once("meta.inc");
?>
</head>
<body>
<a href="index.php">Back to the index page</a><br/><br/>
<?php
//Show message after registration that user can login with a generated password
if($_GET['message']) {
$message = $_GET['message'];
echo $message;
}
?>
<form class="bootstrap-frm" name="register" method="post" action="loginprocess.php">
<h1>Login</h1>
<?php
if (isset($_GET['both'])) {
echo "Both the email and password should be submitted";
}
?>
<?php
if (isset($_GET['failed'])) {
echo "No such email exist or wrong password";
}
?>
<label>
<?php
if (isset($_GET['invalid_email'])) {
echo "Enter a valid email";
}
?>
<span>Email:</span>
<input type="email" id="name" placeholder="Enter your email" name="email" />
</label>
<label>
<?php
if (isset($_GET['pass_4'])) {
echo "Your password should be more than 4";
}
?>
<span>Password:</span>
<input type="password" id="email" placeholder="Enter your password" name="password" />
</label>
<label>
<span>Remember Me</span>
<input type="checkbox" name="autologin" value="1">
</label><br/>
<label>
<span> </span>
<input type="submit" name="submit" value="Login" class="button">
</label>
</form>
<p>Forgot your password? Click <a href="forgot_password.php">Here</a></p>
<?php
require_once("footer.inc");
?>
</body>
</html>
loginprocess.php
<?php
error_reporting(E_ALL ^ E_NOTICE);
session_start(); // Start Session
header('Cache-control: private'); // IE 6 FIX
// always modified
header('Last-Modified: ' . gmdate("D, d M Y H:i:s") . ' GMT');
// HTTP/1.1
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', false);
// HTTP/1.0
header('Pragma: no-cache');
// ---------- Cookie Info ---------- //
$cookie_name = 'siteAuth';
$cookie_time = (3600 * 24 * 30); // 30 days
//Set necessary variables
$email = filter_var($_POST['email'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
$autologin = $_POST['autologin'];
// check that both the email, password have been submitted
if(!isset($email, $password)) {
header("Location: login.php?both=" . urlencode($both));
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header("Location: login.php?invalid_email=" . urlencode($invalid_email));
}
// check the password length
elseif(strlen($_POST['password']) < 5) {
header("Location: login.php?pass_4=" . urlencode($pass_4));
}
else {
// now we can encrypt the password
$password = sha1($password);
require("includes/config.php");
$stmt = $db->prepare("SELECT * FROM users WHERE email = :email AND password = :password");
// bind the parameters
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR, 40);
// execute the prepared statement
$stmt->execute();
//check if there is nos such a email in the database
$row = $stmt->rowCount();
if ($row == false) {
header("Location: login.php?failed=" . urlencode($failed));
}
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
if($row['user_id'] == 67) {
// if it is admin account then create S_SESSION['admin'] in order to use it everywhere on the site and redirect to the admin page after successful login
$_SESSION['admin'] = $row['user_id'];
header("Location: index.php");
}
elseif ($row['user_id'] != 67) {
if($autologin == 1) {
$password_hash = sha1($password);
// if we do have a result, redirect to the index.php page
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['username'] = $row['username'];
$_SESSION['email'] = $row['email'];
setcookie ($cookie_name, 'eml='.$_SESSION['email'].'&hash='.$password_hash, time() + $cookie_time);
header("location: index.php");
}
}
}
}
$db = null;
?>