Cakephp一个用户获得其他用户的会话

时间:2015-01-19 15:33:46

标签: php security session cakephp cakephp-2.5

我正在使用CakePHP 2.5.6开发,我遇到了用户访问其他用户信息的问题。

当用户(比如说User1)在他们的个人资料中注册并填写一些可选字段时,来自同一个IP的另一个用户(User2)注册/登录,而没有填写可选信息​​,那么User2将会看到User1的可选信息(保留为空的字段)。如果User1单击是否注销,它似乎没有什么区别。我在会话中存储了一些主要的跨站点信息,如用户名,电子邮件,个人资料图像等。

在core.php中,我有非常基本的设置,比如

Configure::write('Session', array(
    'defaults' => 'cake',
    'checkAgent' => true,
));
Configure::write('Security.level', 'low');

登录通过UsersController.php,它具有单独的视图,如

public function login() {
    // Destroy old users' data just in case
    $this->Session->destroy();
    $this->Cookie->delete('rememberMe');

    //if already logged-in, redirect
    if (AuthComponent::user('id')) {
        if (isset($this->request->data['User']['rememberMe'])) {
            if ($this->request->data['User']['rememberMe'] == "on") {
                unset($this->request->data['User']['rememberMe']);
                $cookieTime = "12 months";
                $this->request->data['User']['password'] = Security::hash($this->request->data['User']['password']);
                $this->Cookie->write('rememberMe', $this->request->data['User'], true, $cookieTime);
            }
        }

        $id = AuthComponent::user('id');
        $this->User->id = $id;
        $this->Session->write('Config.language', $this->User->field("language"));
        Configure::write('Config.language', $this->User->field("language"));

        $this->redirect(array('controller' => 'dashboard', 'action' => 'index'));
    }
    // if we get the post information, try to authenticate
    else if ($this->request->is('post')) {
        $user = $this->User->findByUsername($this->request->data['User']['username']);
        $this->Session->write('Config.language', $user['User']['language']);
        Configure::write('Config.language', $user['User']['language']);

        if ($user['User']['connected'] == null) {
            $this->Session->setFlash(__('Unverified user, please check your email and verify your account'), 'flash_error');
        } else {
            if ($user['User']['tries'] <= 7 && $this->Auth->login()) {
                if (isset($this->request->data['User']['rememberMe']) && $this->request->data['User']['rememberMe'] == "on") {
                        unset($this->request->data['User']['rememberMe']);
                    $cookieTime = "12 months";
                    $this->request->data['User']['password'] = Security::hash($this->request->data['User']['password']);
                    $this->Cookie->write('rememberMe', $this->request->data['User'], true, $cookieTime);
                }

                $this->redirect($this->Auth->redirectUrl());
            } else {
                $this->Session->setFlash(__('Invalid username or password'), 'flash_error');
            }
        }
    }

和注销应该只是破坏一切

public function logout() {
    $this->Session->destroy();
    $this->Cookie->delete('rememberMe');
    $this->redirect($this->Auth->logout());
}

现在,我的问题是 - 我可以在CakePHP中更改/修复,还是必须在php.ini或服务器设置中进行更改?可能导致什么呢?

感谢您提供任何帮助和提示!

0 个答案:

没有答案
相关问题
最新问题