没有设置会话变量,php sql

时间:2016-12-25 23:32:02

标签: javascript php mysql sql

所以我的问题是我试图检查是否设置了一些会话变量,它们应该是,但是当我检查它们时它们没有值。

首先,我有这个HTML表单,它接受电子邮件和密码输入
HTML代码:

<form class="login_form" action="includes/process_login.php" method="POST" name="login_form">
    <input type="text" placeholder="Email" name="email">
    <input type="password" placeholder="Password" name="password" >
    <input type="button" value="LOGIN" class="login_button" onclick="formhash(this.form, this.form.password);">
</form>

正如你可以看到我的提交按钮首先转到一个哈希输入的javascript JAVASCRIPT CODE:

function formhash(form, password) {
    // Create a new element input, this will be our hashed password field. 
    var p = document.createElement("input");

    // Add the new element to our form. 
    form.appendChild(p);
    p.name = "p";
    p.type = "hidden";
    p.value = hex_sha512(password.value);

    // Make sure the plaintext password doesn't get sent. 
    password.value = "";
    // Finally submit the form. 
    form.submit(); 
}

完成哈希密码后,它会将表单信息发送给目标,即&#34;包含/ process_login.php&#34;

PROCESS_LOGIN.PHP代码:

<?php
include_once 'db_connect.php';
include_once 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.

if (isset($_POST['email'], $_POST['p'])) {
    $email = $_POST['email'];
    $password = $_POST['p']; // The hashed password.

    if (login($email, $password, $mysqli) == true) {
        // Login success 
        header('Location: ../protected_page.php');
    } else {
        // Login failed 
        header('Location: ../index.php?error=1['.$email.', '.$password.']');
    }
} else {
    // The correct POST variables were not sent to this page. 
    echo 'Invalid Request';
}
?>

从这里它将$ email和$ password值发送到函数login:

功能登录代码:

function login($email, $password, $mysqli){
    if($stmt = $mysqli->prepare("SELECT id, username, password FROM users WHERE email = ? LIMIT 1")){
        $stmt->bind_param('s', $email);
        $stmt->execute();
        $stmt->store_result();

        $stmt->bind_result($user_id, $username, $db_password);
        $stmt->fetch();

        if($stmt->num_rows == 1){
            if(checkbrute($user_id, $mysqli) == true){
                return false;
            }else{
                if (password_verify($password, $db_password)) {
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', 
                          $db_password . $user_browser);

                    return true;
                }else{
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)
                                VALUES ('$user_id', '$now')");
                    return false;
                }
            }
        }else{
            return false;
        }
    }
}

现在出现了问题的一部分,在此代码中它存储了一个会话:user_id值,session:username值和session:login_string值。 但问题是会话没有存储任何东西。

因为当我被重定向到所谓的&#34; protected_pa​​ge.php&#34;然后检查是否设置了这些值,并返回它们未设置。

LOGIN_CHECK CODE(检查我们是否登录)

function login_check($mysqli){
    if (isset($_SESSION['user_id'],
              $_SESSION['username'], 
              $_SESSION['login_string']
             )) {
        $user_id = $_SESSION['user_id'];
        $login_string = $_SESSION['login_string'];
        $username = $_SESSION['username'];
        echo $user_id;

        $user_browser = $_SERVER['HTTP_USER_AGENT'];

        if ($stmt = $mysqli->prepare("SELECT password 
                                  FROM users 
                                  WHERE id = ? LIMIT 1")) {
        $stmt->bind_param('i', $user_id);
        $stmt->execute(); 
        $stmt->store_result();
             if ($stmt->num_rows == 1) {
                $stmt->bind_result($password);
                $stmt->fetch();
                $login_check = hash('sha512', $password . $user_browser);

                if (hash_equals($login_check, $login_string) ){
                    return true;
                }else{
                    return false;
                }
             }else{
                 return false; 
             }
        }else{
            return false;
        }

    }else{
        return false; 
    }

}

很抱歉这篇文章很长,但我真的需要一些新角度。谢谢!

PS这是&#34;自定义设置会话功能&#34;

function sec_session_start(){
    $session_name = 'sec_session_id';
    session_name($session_name);

    $secure = true;
    $httponly = true;

    if(ini_set('session.use_only_cookies', 1) === FALSE){
        header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
        exit();
    }

    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"],
                             $cookieParams["path"],
                             $cookieParams["domain"],
                             $secure,
                             $httponly);

    session_start();
    session_regenerate_id(true);
}

0 个答案:

没有答案