PHP身份验证-成员区域与公共页面上的其他内容
[英]PHP authentication - members area versus extra content on public page
问题描述
I'm trying to think out my user authentication system for a site in development and have read many of the posts on stack overflow and elsewhere to get my head around this. 
我正在尝试为开发中的站点考虑用户身份验证系统,并阅读了堆栈溢出和其他地方的许多文章,以解决这个问题。 I found a couple of options I was wondering if this one looks like a decent starting point: 我发现了几个选项,我想知道这是否像一个不错的起点:
http://php.about.com/od/finishedphp1/ss/php_login_code_6.htm http://php.about.com/od/finishedphp1/ss/php_login_code_6.htm
It appears to encrypt the passwords and avoid some of the obvious pitfalls. 它似乎可以加密密码并避免一些明显的陷阱。
Also, perhaps a silly question, but I want to use the authentication for 2 reasons: 1. To provide the user with some extra functionality on an otherwise public page. 同样,这也许是一个愚蠢的问题,但是出于两个原因,我想使用身份验证:1.在其他公共页面上为用户提供一些额外的功能。 (Think "Hello [username]" at the top of the page). (在页面顶部考虑“ Hello [用户名]”)。
2. Provide user access to private pages also. 2.还提供用户对私人页面的访问权限。
These 2 types of applications (login = added stuff on public page versus login=access to private page) are reliant on the same authentication, right? 这两种类型的应用程序(登录=在公共页面上添加的内容与登录=对私有页面的访问)都依赖于相同的身份验证,对吗?
In other words, whether I wanted to do one or the other or both shouldnt' impact how I think about authentication, correct? 换句话说,我是否想做一个或另一个,或两者都不应该影响我对身份验证的看法,正确吗?
Please let me know if I'm asking for trouble by using an about.com tutorial for this.... 请使用about.com教程来告诉我是否有麻烦。
Thanks in advance. 提前致谢。
FOLLOW UP EDIT: Ok, so the about.com tutorial has some holes. 跟进编辑:好的,因此about.com教程有一些漏洞。 I found a more complete system below that appears to use SHA1 encryption instead. 我在下面找到了一个更完整的系统,该系统似乎改用SHA1加密。 This also has an email verification for new users and some other nice functionality. 它还具有针对新用户的电子邮件验证以及其他一些不错的功能。 At first glance, does this seem like a solid route to take? 乍一看,这似乎是一条可靠的路线吗?
http://www.unlimitedtree.com/topic/1503-tutadvanced-login-member-system-php-tutorial/ http://www.unlimitedtree.com/topic/1503-tutadvanced-login-member-system-php-tutorial/
1 个解决方案
解决方案1
5 已采纳 2011-12-29 07:41:48
Yes, you are asking for trouble. 是的,您正在寻求麻烦。 There are several reasons why I would avoid the about.com approach : 为什么要避免about.com方法有几个原因:
- User name and password are stored on the client side. 用户名和密码存储在客户端。 You'll never want to do that. 您永远都不想这样做。 First: if a malicious attacker gets access to the cookie, he can use the id and password hash to take over the account. 首先:如果恶意攻击者可以访问Cookie,则可以使用ID和密码哈希来接管该帐户。 Second: there are huge data sets out in the wild called rainbow tables which allow malicious attackers to find out which string (= password) results in the given hash. 第二:野外有巨大的数据集,称为彩虹表 ,它使恶意攻击者能够找出导致给定哈希值的字符串(=密码)。 This means that if you don't have a long/complicated password, someone may use the rainbow tables to get you clear text password and try it on this and other websites you are registered to. 这意味着,如果您没有太长/复杂的密码,则有人可能会使用Rainbow表为您提供明文密码,然后在此注册的网站和其他网站上尝试使用。
- The variable $username is used unchecked and unfiltered. 变量$ username是未经检查和未过滤的。 Hello SQL Injection . 您好, SQL注入 。
- The password is encrypted using a simple md5() function. 使用简单的md5()函数对密码进行加密。 MD5 puts you at the risk of hash collisions . MD5使您处于哈希冲突的风险中。 Nowadays you should use better hash functions like SHA-1 and use salt . 如今,您应该使用更好的哈希函数(如SHA-1)并使用salt 。
Security is a complex topic. 安全是一个复杂的话题。 I recommend you to use well tested authentication and authorization solutions as provided by established frameworks. 我建议您使用已建立的框架提供的经过良好测试的身份验证和授权解决方案。 Also think about OpenID . 还考虑一下OpenID 。
A few PHP frameworks and their auth components: 一些PHP框架及其身份验证组件:
- Apache Zeta Components (former eZ Components): Authentication Apache Zeta组件(以前的eZ组件): 身份验证
- CakePHP: Authentication and Authorization CakePHP: 身份验证和授权
- FLOW3: Security (Authentication and Authorization) FLOW3: 安全性(身份验证和授权)
- Symfony: Security (Authentication and Authorization) Symfony: 安全性(身份验证和授权)
- Zend Framework: Zend_Auth and Zend_Acl Zend框架: Zend_Auth和Zend_Acl
Concerning your question: 关于您的问题:
In other words, whether I wanted to do one or the other or both shouldnt' impact how I think about authentication, correct?
Yes. 是。 You have to differentiate between Authentication and Authorization . 您必须区分身份验证和授权 。 The former helps you to identify who the user is and the latter helps you to find out what the user is allowed to do. 前者可以帮助您确定用户是谁,后者可以帮助您找出允许用户执行的操作。 Read this short introduction to learn about the topic. 阅读此简短介绍,以了解该主题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.