<?php
session_start();
include("connect.php");
$timeout = 60 * 30;
$fingerprint = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
if(isset($_POST['userName']))
{
$user = mysql_real_escape_string($_POST['userName']);
$password = mysql_real_escape_string($_POST['password']);
$matchingUser = mysql_query("SELECT * FROM `users` WHERE username='$user' AND password=MD5('$password') LIMIT 1");
if (mysql_num_rows($matchingUser))
{
if($matchingUser['inactive'] == 1)//Checks if the inactive field of the user is set to one
{
$error = "Your e-mail Id has not been verified. Check your mail to verify your e-mail Id. However you'll be logged in to site with less privileges.";
$_SESSION['inactive'] = true;
}
$_SESSION['user'] = $user;
$_SESSION['lastActive'] = time();
$_SESSION['fingerprint'] = $fingerprint;
}
else
{
$error = "Invalid user id";
}
}
if ((isset($_SESSION['lastActive']) && $_SESSION['lastActive']<(time()-$timeout)) || (isset($_SESSION['fingerprint']) && $_SESSION['fingerprint']!=$fingerprint)
|| isset($_GET['logout'])
)
{
setcookie(session_name(), '', time()-3600, '/');
session_destroy();
}
else
{
session_regenerate_id();
$_SESSION['lastActive'] = time();
$_SESSION['fingerprint'] = $fingerprint;
}
?>
这只是 http://en.wikibooks.org/wiki/PHP_Programming/User_login_systems 的修改版本
setcookie(session_name(), '', time()-3600, '/');
在这里做什么?
这是一个错误: 我使用这个登录表单:
<?php
if(!isset($_SESSION['user']))
{
if(isset($error)) echo $error;
echo '<form action="' . $_SERVER["PHP_SELF"] . '" method="post">
<label>Username: </label>
<input type="text" name="userName" value="';if(isset($_POST['userName'])) echo $_POST["userName"]; echo '" /><br />
<label>Password: </label>
<input type="password" name="password" />
<input type="submit" value="Login" class="button" />
<ul class="sidemenu">
<li><a href="register.php">Register</a></li>
<li><a href="forgotPassword.php">Forgot Password</a></li>
</ul>
</form>';
}
else
{
echo '<ul class="sidemenu">
<li>' . $_SESSION['user'] . '</li>
<li><a href="' . $_SERVER["PHP_SELF"] . '?logout=true">Logout</a></li>
</ul>';
}
?>
错误是当我注销时,页面保持不变,即没有显示登录表单,但显示相同的注销和用户。当我刷新页面时,它变得正常。
最佳答案
当您注销时,首先,您正在排队销毁 cookie(这将在发送响应后发生),然后立即呈现您的页面。浏览器没有机会在呈现之前删除 cookie,并且您的 $_SESSION
变量仍然存在。
PHP 文档关于 session_destroy
的说法:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.
一个解决方案是,不是破坏 session 和 cookie,而是简单地取消设置会导致身份验证的变量:
unset($_SESSION['user']);
unset($_SESSION['lastActive']);
unset($_SESSION['fingerprint']);
请注意:我建议将您的代码拆分为函数。这将使它更有组织性和可读性(如果你做对了,可以重用)。
关于php - 这段代码安全吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/478251/