创建登录系统的最佳方法是什么？

Question

I am always wondering that the login systems I have created is vulnerable to attacks or not.

As many other programmers I also use sessions to hold a specific token token to know the login status. Cookies to hold the username or even sometime saved status.

What I am wondering is, Is this the right way? Is there any approach better than this?

Answer 1

You could create your own custom checks on the session. Make sure it's created by the same user agent and from the same IP address.

Other than that, sessions are pretty solid.

In the login section, you would do something like:

$_SESSION['_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['_remote_addr'] = $_SERVER['REMOTE_ADDR'];

and then you can do a check in every request:

function sessionIsOK ()
{
    return ($_SESSION['_user_agent'] == $_SERVER['HTTP_USER_AGENT'] &&
        $_SESSION['_remote_addr'] == $_SERVER['REMOTE_ADDR']);
}

Answer 2

我认为是否使用https很重要：如果使用http而不是https，则系统存在许多漏洞：例如重播和中间人/中继。

Answer 3

An alternative to the common PHP login systems is HTTP authentication. This doesn't require the use of sessions/cookies. Especially the HTTP Digest authentication is more secure than unencrypted <form> logins. (Most shared hosting providers don't provide SSL. And if, most FLOSS webapps rarely set it up.)

However, there are some usability drawbacks, which can only be alleviated by heavy DHTML/AJAX use. And it drains server performance a little. And most important: it's too difficult to implement right for most programmers.

If a simple PHP login system is sufficient, depends on the type of your application.