在下面的PHP代码中,我想包括一个函数,设置cookie保持登录状态。问题是,我在google上找到的示例无法正常工作。如果用户已经登录,则应该获得一个cookie,而没有其他“保持登录状态”按钮。在每个新请求中,cookie都应立即登录用户。
<?php
// Initialize the session
session_start();
// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
header("location: index.php");
exit;
}
// Include config file
require_once "configuser.php";
// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Check if username is empty
if(empty(trim($_POST["username"]))){
$username_err = "Bitte Benutzernamen eingeben.";
} else{
$username = trim($_POST["username"]);
}
// Check if password is empty
if(empty(trim($_POST["password"]))){
$password_err = "Bitte Passwort eingeben.";
} else{
$password = trim($_POST["password"]);
}
// Validate credentials
if(empty($username_err) && empty($password_err)){
// Prepare a select statement
$sql = "SELECT id, username, password FROM users WHERE username = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = $username;
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
if(mysqli_stmt_num_rows($stmt) == 1){
// Bind result variables
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)){
// Password is correct, so start a new session
session_start();
// Store data in session variables
$_SESSION["loggedin"] = true;
$_SESSION["id"] = $id;
$_SESSION["username"] = $username;
//Angemeldet bleiben:
// Redirect user to welcome page
header("location: index.php");
} else{
// Display an error message if password is not valid
$password_err = "Passwort falsch.";
}
}
} else{
// Display an error message if username doesn't exist
$username_err = "Benutzername oder Passwort falsch.";
}
} else{
echo "Störung.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Close connection
mysqli_close($link);
}
?>
<!DOCTYPE html>
答案 0 :(得分:1)
在确认密码后设置cookie:
if(password_verify($password, $hashed_password)) {
// Password is correct, so start a new session
session_start();
// store user data in cookie
setcookie('user', json_encode([
'username' => $username,
'password' => $password
]), time() + 3600 * 24 * 30);
然后在会话中检查loggedin变量之前,检查cookie(请注意此处的注释行):
// Check if there is an already logged in user in the cookie and then set its data to the session
if(isset($_COOKIE['user']) && !isset($_SESSION["loggedin"])) {
$user = json_decode($_COOKIE['user'], true);
// do the stuff to check if there is a user with $user['username'] and $user['password'] in the database, then if there is one, do as below :
$_SESSION["loggedin"] = true;
$_SESSION["id"] = $userId; // retrieved from database
$_SESSION["username"] = $user['username'];
// else if there is no user with that credentials from cookie, do the following to prevent further checking on database :
$_SESSION["loggedin"] = false;
}
// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
要在注销用户时销毁cookie,请使用unset,就像@DakshMehta对此所说的那样:
unset($_COOKIE['user']);
警告:由于安全问题,不建议将用户密码存储在cookie中。因此,也许您想实现基于令牌的身份验证,该身份验证会在短时间后或至少在每次登录时刷新令牌。使用json网络令牌(jwt)可以在此主题上有所帮助,并且此软件包在php中实现了jwt:firebase/php-jwt 您应该意识到令牌的作用与密码完全相同,因此,将令牌存储在cookie中时,应考虑本文最后一节中提到的一些安全提示:Where to Store your JWTs – Cookies vs HTML5 Web Storage