简体繁体 English

关于保护网页的LightopenID

[英]LightopenID regarding protecting web pages

原文 2013-05-23 04:28:34 3 2 php/ openid/ lightopenid

So I have the example-google.php script working, after loging in it throws the default user string has logged in. But my question is how does this protect anything? 因此，在登录后，我将运行example-google.php脚本，该脚本将引发已登录的默认用户字符串。但是我的问题是，这如何保护任何内容？

Lets say I have //127.0.0.1/example-google.php and I added a href to //127.0.0.1/abc.php after the login is successful. 可以说我有//127.0.0.1/example-google.php，并且在登录成功后我向//127.0.0.1/abc.php添加了href。

Well what keeps someone from just typing 127.0.0.1/abc.php? 那么，是什么阻止了人们仅仅输入127.0.0.1/abc.php？ granted I could use $_SESSION to verify that "someone" logged in. But is that going to be enough? 当然，我可以使用$ _SESSION来验证“某人”是否已登录。但这足够吗？ Is there a way to re-verify that the user that is trying to access abc.php is truely logged in when thrown from the other page? 有没有一种方法可以重新验证试图访问abc.php的用户是否从另一页面抛出时是否已正确登录？

2 个解决方案

Generally, the idea is that you use the session store, indeed. 通常，这种想法确实是在使用会话存储。

For example, in my site I have a OpenID login using Steam Community. 例如，在我的网站上，我使用Steam社区登录了OpenID。 When a user logs in, after the mode / validate checks etc. from the LightOpenID example, I save their unique identifier in the session store (in this case a SteamID, in your case an email address presumably), then can just use this freely for subsequent requests. 当用户登录时，从LightOpenID示例进行模式/验证检查等之后，我将其唯一标识符保存在会话存储中（在这种情况下为SteamID，在您的情况下为电子邮件地址），然后可以自由使用它用于后续请求。

As the session store is server-side, a user cannot impersonate another one without gaining their session cookie (session hijacking is another topic that someone else can go into much more detail on, but I'll give it a shot if requested), but most attacks will be defeated by also storing and validating the requesting IP address. 由于会话存储是服务器端的，因此用户不能假冒他人而不获得会话cookie（会话劫持是另一个主题，其他人可以详细介绍，但是如果需要，我会做个尝试），但是大多数攻击将通过存储并验证请求的IP地址来克服。

I keep a couple of mysql tables (one for sessions and one for user information) and store session information in the session table and include a reference to the users table. 我保留几个mysql表（一个用于会话，一个用于用户信息），并将会话信息存储在会话表中，并包括对users表的引用。 When a user successfully logs in with their OID provider they are sent back to my site with the confirmation from the provider. 当用户成功使用其OID提供程序登录时，他们将通过提供程序的确认被发送回我的站点。 I keep track of my user from then on via their session id. 从那时起，我便通过他们的会话ID来跟踪我的用户。

I wipe the session if they choose to log out, but maintain the user info for comments/posts on the site to track who said what. 如果他们选择注销，我会删除会话，但会在站点上保留用户信息以供评论/发布以跟踪谁说了什么。

I actually put a link to "?login={service}" which sends the request to the OID provider and redirects back to that page and on return from the provider it takes the successful login and stores the appropriate information and redirects the user back to the original page where they clicked the "login" button for whichever {service}. 我实际上放置了一个指向“？login = {service}”的链接，该链接将请求发送到OID提供程序，并重定向回该页面，从提供程序返回时，它将成功登录并存储适当的信息，并将用户重定向至他们为哪个{service}点击“登录”按钮的原始页面。 You only display the "members only" content if they are verified via OID. 如果通过OID验证，则仅显示“仅成员”内容。 You don't create a standard HTML page at abc.php without any sort of way to confirm ID and I think the header redirect is important because it cleans up the URL displayed in the address. 如果没有任何确认ID的方法，您就不会在abc.php上创建标准的HTML页面，而且我认为标头重定向很重要，因为它会清理地址中显示的URL。