我正在尝试添加"保持联系"登录功能,我的想法是创建一个复选框,其值为"是"如果设置了复选框并且在数据库中找到了用户密码和电子邮件,那么我将$ _COOKIE [' usigh-ses']分配给$ row [' id']。
在我的应用程序中,我使用用户ID(AUTO INCREMENT)来识别每个用户和相应的详细信息。
然后我登录并检查我的浏览器,我看到了cookie名称和内容恰好是用户ID,所以很困惑。
请告诉我这是否是一个好习惯。如果不建议我能以哪种方式实现这一目标。
有人可以使用COOKIE和值来登录或劫持我的应用程序,而无需通过登录过程吗?
下面是我的整个登录脚本:
<?php
//require connection file
require('include/dbc.php');
include ('include/functions.php');
loggedin_type();
//redirect iff session or cookie is already set and its not empty
if(loggedin()){
header("location:home?ref=log");
exit();
}
// create empty variables to hold data
$email = $password =$errors= $name= $name2= $u_avatar="";
$emailErr = $passwordErr ="";
$passwordbox =false;
$emailbox =true;
if(isset($_POST['submit'])){
if(empty($_POST['email']) || ctype_space($_POST['email'])){
$emailErr ="Please enter your email address.";
}else{
$email = trim(strtolower($_POST['email']));
//Validate for correct email
if(!filter_var($email,FILTER_VALIDATE_EMAIL)){
$emailErr ="Enter a valid email address.";
}
} //end of email
if(ctype_space($_POST['password'])){
$passwordErr ="Please enter a valid password.";
//errors ='<div class="topalerts"> Go ahead and enter your password</div>';
}
//Recheck validation
if($email !="" && !ctype_space($email) && filter_var($email,FILTER_VALIDATE_EMAIL)){
//AsK database questions
$sql = "SELECT * FROM $table_name WHERE Email ='$email' LIMIT 1";
$result = mysqli_query($dbc_conn,$sql);
$numrows =mysqli_num_rows($result);
if($numrows > 0){
while( $row =mysqli_fetch_assoc($result)){
$db_email = $row['Email'];
if($email == $db_email){
if($row['avatar'] !=NULL){
$image = $row['avatar'];
$image_url = "uploaded/$image";
if(file_exists($image_url)){
$u_avatar = $row['avatar'];
}else{
//Default profile avatar because OF ERROR OR FILE DO NOT EXIST
$u_avatar = "blank-profile.png";
}
}else{
//Default profile avatar because row AVATAR is NULL
$u_avatar = "blank-profile.png";
}
//hide email div, show password div
$name = $row["FirstName"][0];
$name2 = $row['FirstName'];
$passwordbox =true;
$emailbox =false;
//check for valid password
if(!empty($_POST['password']) and !ctype_space($_POST['password'])){
$password = md5($_POST['password']);
if( $password == $row['Password']){
$logginok =TRUE;
if($logginok ==TRUE){
//remember me feature
if(isset($_POST['remember'] ) && $_POST['remember']=="yes"){
setcookie("usigh-ses",$row['id'],time()+ 172800);
$rand = openssl_random_pseudo_bytes(16);
$serial = bin2hex($rand);
//this user is online
mysqli_query($dbc_conn,"UPDATE $table_name SET active=1 WHERE id ={$row['id']} ");
header("location:home?search=$serial");
}else{
$rand = openssl_random_pseudo_bytes(16);
$serial = bin2hex($rand);
//this user is online
mysqli_query($dbc_conn,"UPDATE $table_name SET active=1 WHERE id ={$row['id']} ");
//normal login
$_SESSION['usigh-ses']=$row['id'];
header("location:home?search=$serial");
exit();
}
}
}else{
$logginok =FALSE;
$errors ='<div class="topalerts"> The password you have entered is invalid.
Please provide a valid password of your account.</div>';
$passwordErr = 'The email and password you entered don\'t match. ';
}
}
}
}
}else{
$errors ='<div class="topalerts"> It seems you are not a registered member
or your email is incorrect.Try again.</div>';
$emailErr = "Sorry, your email could not be verified.";
}
}//end of recheck
else{
$errors ='<div class="topalerts">There were one or more errors in your submission.
Please correct the mark fields below.</div>';
}
} //end of main submit
?>
感谢您的好评。
答案 0 :(得分:0)
在Cookie中存储用户ID并仅对该信息进行身份验证是一个坏主意,因为您按顺序生成用户ID(AUTOINCREMENT),因此非常简单猜测,允许攻击者冒充其他用户。
正确的方法是生成随机标识符,将其与用户关联,并仅将随机ID存储在cookie中。这可以通过$_SESSION轻松完成(会话实际上是通过创建随机标识符并将其存储在cookie中来实现的),或者您可以通过将随机ID存储在数据库中来手动完成。
请注意,生成的ID的随机性是此处安全性的重要组成部分,并且过去对会话的攻击基于PHP生成过于可预测的伪随机数。