PHP安全会话无法正常工作

时间:2017-03-30 17:35:10

标签: php html session

我想弄清楚如何使会话安全。我已经做了很多研究并找到了我想要的东西,但是安全会话工作不正确,并且该网站没有说明如何修复它。

在查看代码时,

测试1将失败

但在运行时,需要通过。

当您拉取$ _SESSION变量时,Test1中没有任何内容。

我注意到的是,如果我在加密后加上$ _SESSION,它会接受它。

该功能来自以下网站:http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL 

 $_SESSION['user_id'] = 'test';
 $_SESSION['username'] = 'john';
 $_SESSION['login_string'] = '1234';

 echo 'Session Set<br>';

 sec_session_start();

 // Testing $session pass or fail.

 echo 'test1<br>';

 if (isset($_SESSION['user_id'], 
 $_SESSION['username'], 
 $_SESSION['login_string'])){
 echo 'test: Pass'; 
 } else {
 echo 'test: failed';   
 }

 echo '<br>';
 echo 'test2<br>';

 $_SESSION['user_id'] = 'test';
 $_SESSION['username'] = 'john';
 $_SESSION['login_string'] = '1234';

 echo 'Session Set<br>';

 if (isset($_SESSION['user_id'], 
 $_SESSION['username'], 
 $_SESSION['login_string'])){
 echo 'test: Pass'; 
 } else {
 echo 'test: failed';   
 }


// Function from following site: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
 function sec_session_start() {
     $session_name = 'sec_session_id';   // Set a custom session name
     /*Sets the session name. 
      *This must come before session_set_cookie_params due to an undocumented bug/feature in PHP. 
      */
     session_name($session_name);

     $secure = true;
     // This stops JavaScript being able to access the session id.
     $httponly = true;
     // Forces sessions to only use cookies.
     if (ini_set('session.use_only_cookies', 1) === FALSE) {
         header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
         exit();
     }
     // Gets current cookies params.
     $cookieParams = session_get_cookie_params();
     session_set_cookie_params($cookieParams["lifetime"],
         $cookieParams["path"], 
         $cookieParams["domain"], 
         $secure,
         $httponly);

     session_start();            // Start the PHP session 
     session_regenerate_id(true);    // regenerated the session, delete the old one. 
 }

 // remove all session variables
 session_unset(); 

 // destroy the session 
 session_destroy(); 

 ?>

1 个答案:

答案 0 :(得分:0)

网站:http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

如果你查看这个订单,我已经分解了我正在获取代码的网页上发生的事情。

当它到达protected_pa​​ge.php时,它没有任何$ _SESSION信息要测试。

最后一个IF语句未检测到$ _SESSION变量。

 index.php
    db_connect.php > Include_Once
        psl-config.php
    functions.php - sec_session_start()
        session_start();
    process_login.php 

    process_login.php > POST from INDEX.PHP
        db_connect.php > Include_Once
            psl-config.php
        functions.php - sec_session_start()
            session_start(); 
        functions.php - login()
            functions.php - checkbrute()
            $_SESSION['user_id'] = $user_id;
            $_SESSION['username'] = $username;
            $_SESSION['login_string'] = hash('sha512', $db_password . $user_browser);
    protected_page.php

    protected_page.php > Sending $_SESSION, but $_SESSION does not come through.
            db_connect.php > Include_Once
                psl-config.php
            functions.php - sec_session_start()
                session_start();
            functions.php - login_check()
                 if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) { 
                    } else { 
                    Failed
                    }
相关问题
最新问题