使用cookie进行简单的PHP登录
[英]Simple PHP login with cookie
问题描述
I have begun developing this very simple PHP login that asks for a password to allow access to a website. 
我已经开始开发这个非常简单的PHP登录,要求输入密码才能访问网站。 It also creates a cookie to allow continued access until the user closes their browser window. 它还会创建一个cookie,以便在用户关闭浏览器窗口之前继续访问。
At the top of each page I check for the cookie: 在每个页面的顶部,我检查cookie:
<?php
if(!isset($_COOKIE['authorised']) || ($_COOKIE['authorised'] != 'true'))
{
include('login.php'); exit;
}
?>
If they don't then I exit and show a login form: 如果没有,那么我退出并显示登录表单:
<?php
function pageURL()
{
$pageURL = 'http';
if ($_SERVER["HTTPS"] == "on")
{
$pageURL .= "s";
}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80")
{
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
}
else
{
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
}
return $pageURL;
}
$pageRedirect = pageURL();
if(isset($_POST['password']) && ($_POST['password'] == 'qwe123'))
{
setcookie('authorised', 'true'); header("Location:$pageRedirect",303);
}
else
{
include('noaccess.php'); exit;
}
?>
<form action="<?php echo pageURL(); ?>" method="post">
<input type="password" name="password" />
<input type="submit" title="I agree" value="I agree" name="submit" />
</form>
The current PHP is from an old Warning page when you had to agree to access the site, I want to modify it to work with a simple form so that if the user types a password say for example 'qwe123' then they create the cookie and then are redirected back to the page but now have access because of the cookie. 当你必须同意访问该网站时,当前的PHP来自旧的警告页面,我想修改它以使用简单的表单,以便如果用户输入密码,例如'qwe123',那么他们创建cookie并且然后被重定向回页面,但现在可以访问因为cookie。 If they get it wrong then another page is included and exited. 如果他们弄错了,则包含并退出另一页。
Can someone help me with this? 有人可以帮我弄这个吗? Thanks 谢谢
2 个解决方案
解决方案1
11 已采纳 2010-12-02 02:22:02
Please don't try to store things like "authenticated" in a client side cookie; 请不要尝试在客户端cookie中存储“已验证”之类的内容; that's incredibly insecure. 那令人难以置信的不安全感。 A user can modify anything in a cookie - so in this case, I could look up the cookie in my browser settings and then edit it to set "authenticated" to true. 用户可以修改cookie中的任何内容 - 因此在这种情况下,我可以在浏览器设置中查找cookie,然后编辑它以将“authenticated”设置为true。 I would then be logged in, without a username or password. 然后我会登录,没有用户名或密码。
Have a look at PHP's session management functions. 看看PHP的会话管理功能。 You should create a session and store any secure information server side, not client side. 您应该创建一个会话并存储任何安全的信息服务器端,而不是客户端。
An example using sessions would be the following; 使用会话的示例如下:
<?php
session_start();
$secretpassword = 'qwert1234';
$secretusername = 'foobar';
if ($_SESSION['authenticated'] == true) {
// Go somewhere secure
header('Location: secure.php');
} else {
$error = null;
if (!empty($_POST)) {
$username = empty($_POST['username']) ? null : $_POST['username'];
$password = empty($_POST['password']) ? null : $_POST['password'];
if ($username == $secretusername && $password == $secretpassword) {
$_SESSION['authenticated'] = true;
// Redirect to your secure location
header('Location: secure.php');
return;
} else {
$error = 'Incorrect username or password';
}
}
// Create a login form or something
echo $error;
?>
<form action="login.php"><input type="text" name="username" /><input type="text" name="password" /><input type="submit" value="login" /></form>
<?php
}
It's a pretty ugly example, but this covers the meat of it 这是一个非常丑陋的例子,但这涵盖了它的内容
- if the user is logged in already, do the secure stuff (of course, the secure.php script should also verify that the user is logged in) 如果用户已经登录,请执行安全操作(当然,secure.php脚本还应验证用户是否已登录)
- if the user is not logged in, but they have submitted a form, check their details 如果用户未登录,但他们已提交表单,请检查其详细信息
- if username/password incorrect, set an error messagee 如果用户名/密码不正确,请设置错误消息
- if username/password correct, send them to secure place 如果用户名/密码正确,请将它们发送到安全的地方
- if username/password incorrect, set an error messagee
- display the error message, if set 显示错误消息(如果已设置)
- display a login form 显示登录表单
You run session_start() before sending any other output; 在发送任何其他输出之前运行session_start(); this stores a session cookie on the client side, which only stores an identification number on the client side. 这会在客户端存储会话cookie,该cookie仅在客户端存储标识号。 All other data is stored on the server side, so it cannot be modified by the user. 所有其他数据都存储在服务器端,因此用户无法修改。
There are several parameters that you can set on this to improve security, including httponly (prevents the cookie from being accessed via javascript, helps against XSS attacks) and secure (only transfer the cookie over SSL). 您可以在此设置几个参数来提高安全性,包括httponly(防止通过javascript访问cookie,帮助抵御XSS攻击)和安全(仅通过SSL传输cookie)。 These should be enabled if possible. 如果可能,应启用这些。
解决方案2
0 2010-12-01 22:45:33
Just have the form submit to the page where you check the password, and it should work just fine. 只需将表单提交到您检查密码的页面,它应该可以正常工作。
However, you might have to change the $_SERVER["REQUEST_URI"]; 但是,您可能必须更改$_SERVER["REQUEST_URI"]; to a more specific page, as this will simply be the page you are currently at (the page the form submitted to). 更具体的页面,因为这只是您当前所在的页面(表单提交的页面)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.