登录系统(PHP)Cookie和会话
[英]Login system (PHP) Cookies and Sessions
问题描述
I want to make a login system using cookies/sessions but I'm not sure what security and such is like with them. 
我想使用cookie / session建立一个登录系统,但我不确定它们的安全性是什么样的。
With sessions, if "login" is set to "yes", can I trust that? 对于会话,如果“login”设置为“yes”,我可以相信吗? Are users able to change what it returns? 用户是否能够改变它返回的内容? Should I just store the encrypted password and check it on every page? 我应该只存储加密密码并在每个页面上进行检查吗?
With cookies, would I have to check for things like mysql injections? 使用cookies,我是否需要检查mysql注入等内容?
This might sound like beginner stuff, but it would really help if someone could clarify it for me. 这可能听起来像初学者的东西,但如果有人能为我澄清它会真的有用。 Thanks in advance for any replies! 在此先感谢您的回复!
6 个解决方案
解决方案1
7 已采纳 2009-08-30 17:29:06
If you set a session variable, the user can't directly change it unless they hijack another session cookie. 如果设置会话变量,则除非用户劫持另一个会话cookie,否则用户无法直接更改它。
What you mainly have to watch out for is on shared hosting, your session data isn't secure (typically other sites can see it). 您主要需要注意的是共享主机,您的会话数据不安全(通常其他网站可以看到它)。
It's also worth noting that cookie data isn't secure either. 值得注意的是,cookie数据也不安全。 It shouldn't be relied upon in the same way that form data shouldn't be relied upon (no matter what client validation tells you). 它不应该依赖于不应该依赖表单数据的方式(无论客户端验证告诉你什么)。
Your best practices with passwords are: 您使用密码的最佳做法是:
- Store the password in the database in a hashed form, preferably SHA1 (first choice) or MD5 (second choice); 以密码形式将密码存储在数据库中,最好是SHA1 (第一选择)或MD5 (第二选择);
- When you receive the user's password, encrypt it and check it against what's stored in the database; 当您收到用户的密码时,对其进行加密并根据存储在数据库中的内容进行检查;
- Set the logged in username in the user session; 在用户会话中设置登录的用户名;
- Expire the cookie after some period (even if its days) rather than having it last forever; 在一段时间后(即使它的日子)过期cookie,而不是永远持续; and 和
- Use a secure connection (HTTPS not HTTP) where possible. 尽可能使用安全连接(HTTPS而不是HTTP)。 SSL certificates are cheap. SSL证书很便宜。
解决方案2
5 2009-08-30 17:45:49
As several people here have stated, do not trust user input - ever. 正如这里的几个人所说,不要相信用户输入 - 永远。 By sanitizing your input, especially username & password fields you help to ward off SQL Injection attacks. 通过清理您的输入,特别是用户名和密码字段,您可以帮助抵御SQL注入攻击。
For all that is good & holy don't store usernames or passwords in cookies, they're sent back & forth to the server on every request and anyone watching the stream can snatch that data...then you're in big trouble. 对于所有好的和神圣的东西,不要在cookie中存储用户名或密码,它们会在每次请求时来回发送到服务器,任何观看流的人都可以抢夺这些数据......然后你就麻烦了。
Here's a couple articles you should read on sessions, security and hashing - just hashing your passwords to SHA1 or MD5 isn't enough, salt them so they're even more robust. 这里有一些你应该阅读的关于会话,安全性和散列的文章 - 只是将你的密码哈希到SHA1或MD5是不够的,加盐它们以便它们更加健壮。 There's no such thing as impenetrable security - even if you do EVERYTHING right someone can break it - it's inevitable. 没有难以捉摸的安全性 - 即使你做了一切正确的人也可以打破它 - 这是不可避免的。 Your job is to make things as hard to break/exploit as possible. 你的工作是让事情尽可能难以打破/利用。
The more work involved in breaking into your site, the more valuable your content has to be to be worth the effort. 侵入您的网站所涉及的工作越多,您的内容就越值得付出努力。 Your job is to discourage malicious users. 你的工作是阻止恶意用户。
This article has some nice info on creating unique fingerprints for your visitors, helps to make session hijacking more difficult - PHP Security Guide: Sessions 本文提供了一些有关为访问者创建唯一指纹的好消息,有助于使会话劫持更加困难 - PHP安全指南:会话
This article deals with basic password hashing & salting techniques - Password Hashing 本文介绍基本密码哈希和腌制技术 - 密码哈希
This is by no means an end all & be all - you can make a career doing security and the like, but they're a good starting point. 这绝不是一个尽头而已全部 - 你可以做一个安全等事业,但他们是一个很好的起点。 Someone here can probably point to better / more advanced articles, but I've personally found these helpful in shoring up my code. 这里的某人可能会指向更好/更高级的文章,但我个人发现这些文章有助于支持我的代码。
解决方案3
3 2009-08-30 17:30:30
Rule of thumb: do not trust user input. 经验法则:不信任用户输入。 Cookies are user input, session ids that are stored in cookies are user input, http headers are user input -- these things must be triple checked for every possible thing. Cookie是用户输入,存储在Cookie中的会话ID是用户输入,http标头是用户输入 - 这些必须针对每个可能的事情进行三重检查。 Session data, on the other hand, is stored on your server, so it is more or less secure if not stored in /tmp. 另一方面,会话数据存储在您的服务器上,因此如果不存储在/ tmp中,它或多或少是安全的。
One of the most popular setups for session authorization is this: session id is stored in cookie, and everything else including password is stored in session. 会话授权最常用的设置之一是:会话ID存储在cookie中,包括密码在内的所有其他内容都存储在会话中。 After starting a session based on id from a cookie, you should get user id from session data and then check if password stored there is still valid. 在基于cookie的id启动会话后,您应该从会话数据中获取用户ID,然后检查存储在那里的密码是否仍然有效。
解决方案4
2 2010-01-14 05:33:40
A good practice to use is to have 3 variables stored. 使用的一个好习惯是存储3个变量。 One for if they are logged in, one for their username and one for a randomly generated hash (that is generated when they login and stored in a database along with the other user info). 一个用于登录,一个用于他们的用户名,一个用于随机生成的哈希值(当他们登录并与其他用户信息一起存储在数据库中时生成)。 This way, if they change their username that may be stored in their cookies, it won't match the one that was generated for that user when they logged in. 这样,如果他们更改了可能存储在Cookie中的用户名,则与用户登录时生成的用户名不匹配。
Example: Cookie data could be: logged_in = true; 示例:Cookie数据可以是:logged_in = true; user = 'admin'; user ='admin'; sessionid = [randomly generated id (I usually just md5 a randomly generated word that I create)] sessionid = [随机生成的id(我通常只是md5是我创建的一个随机生成的单词)]
Everytime they login, a new sessionid is generated and stored in the database in it's own field. 每次登录时,都会生成一个新的sessionid并将其存储在自己的字段中的数据库中。 Now if I were to change my cookie information and change the user variable to say 'user' (which would be another user they may be trying to hi-jack). 现在,如果我要更改我的cookie信息并将用户变量更改为“用户”(这可能是另一个用户,他们可能会尝试使用hi-jack)。 The sessionid would no longer match up to the one for the second user and the login would be denied. sessionid将不再匹配第二个用户的那个,并且登录将被拒绝。
Here is a quick example I stole from a CI project I worked on a couple weeks ago: 这是我几个星期前在一个CI项目中偷走的一个简单示例:
function logged(){
$logged_in = $this->session->userdata('logged_in');
if($logged_in){
$userid = $this->session->userdata('userid');
$sessionhash = $this->session->userdata('hash');
$this->db->where('id', $userid);
$this->db->where('hash', $sessionhash);
$query = $this->db->get('members');
if($query->num_rows == 1){
return TRUE;
}else{
return FALSE;
}
}
}
解决方案5
0 2009-08-30 17:32:02
Any and all user input needs to be scrutinized and sanitized religiously, be it GET and POST data, cookie data.. 任何和所有用户输入都需要仔细检查和消毒,无论是GET和POST数据,cookie数据。
To answer your question if storing the login state in a session var is safe, the answer is yes. 要回答您的问题,如果在会话var中存储登录状态是安全的,答案是肯定的。 Just remember to sanitize everything the user sends you, no matter how safe it is supposed to be. 只要记住清理用户发送给你的一切,无论它应该是多么安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.