我正在为管理后端创建一个登录页面。由于某种原因,我的表单不会将我重定向到受保护的索引页面。我觉得我错过了一些非常简单的东西。
登录表格
<?php
include_once '../db/db_connect.php';
include_once '../db/functions.php';
sec_session_start();
if (login_check($mysqli)==true) {
$logged='in' ;
} else {
$logged='out' ;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<title>Login | Duplin County Employee Portal</title>
<!-- Bootstrap Core CSS -->
<link href="../bower_components/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
<!-- MetisMenu CSS -->
<link href="../bower_components/metisMenu/dist/metisMenu.min.css" rel="stylesheet">
<!-- Custom CSS -->
<link href="../dist/css/sb-admin-2.css" rel="stylesheet">
<!-- Custom Fonts -->
<link href="../bower_components/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<script type="text/JavaScript" src="js/sha512.js"></script>
<script type="text/JavaScript" src="js/forms.js"></script>
</head>
<body>
<div class="container">
<div class="row">
<div class="col-md-4 col-md-offset-4">
<div class="login-panel panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">Please Sign In</h3>
</div>
<div class="panel-body">
<?php if (isset($_GET[ 'error'])) { echo '<p class="error">Error Logging In!</p>'; } ?>
<form action="../db/process_login.php" method="post" name="login_form">
<fieldset>
<div class="form-group">
<input class="form-control" placeholder="UserName" type="text" name="username" autofocus/>
</div>
<div class="form-group">
<input class="form-control" placeholder="Password" type="password" name="password" id="password" />
</div>
<div class="checkbox">
<label>
<input name="remember_me" id="remember_me" type="checkbox" value="Remember Me" checked="checked">Remember Me
</label>
</div>
<input class="btn btn-lg btn-success btn-block" type="button" value="Login" onclick="formhash(this.form, this.form.username, this.form.password);" />
</fieldset>
</form>
<?php if (login_check($mysqli)==true) { echo '<p>Currently logged ' . $logged . ' as ' . htmlentities($_SESSION[ 'username']) . '.</p>'; echo '<p>Do you want to change user? <a href="includes/logout.php">Log out</a>.</p>'; } else { echo '<p>Currently logged ' . $logged . '.</p>'; echo "<p>If you don't have a login, please <a href='register.php'>register</a></p>"; } ?>
</div>
</div>
</div>
</div>
</div>
<!-- jQuery -->
<script src="../bower_components/jquery/dist/jquery.min.js"></script>
<!-- Bootstrap Core JavaScript -->
<script src="../bower_components/bootstrap/dist/js/bootstrap.min.js"></script>
<!-- Metis Menu Plugin JavaScript -->
<script src="../bower_components/metisMenu/dist/metisMenu.min.js"></script>
<!-- Custom Theme JavaScript -->
<script src="../dist/js/sb-admin-2.js"></script>
</body>
</html>
处理登录PHP
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['username'], $_POST['p'])) {
$username = $_POST['username'];
$password = $_POST['p']; // The hashed password.
if (login($username, $password, $mysqli) == true) {
// Login success
header('Location: ../pages/index.php');
} else {
// Login failed
header('Location: ../index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
安全会话功能
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
登录功能
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM users
WHERE username = ?
LIMIT 1")) {
$stmt->bind_param('s', $username); // Bind "$username" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($users_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($users_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$users_id = preg_replace("/[^0-9]+/", "", $users_id);
$_SESSION['users_id'] = $users_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$users_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
我很肯定这个问题出现在这三个文件中。你能给我的任何帮助都会很棒。