我正在尝试了解有关密码哈希和安全登录等的更多信息,因此我尝试在此复制this示例。我并没有百分之百复制这个。
我遇到的问题是,当我输入登录凭据时,表单会转到验证密码等的process_login.php脚本,并设置$_SESSION个变量。成功后,它应该重定向到protected.php,这是一个只有在用户登录后才能访问的网站。
对我来说,它不起作用只是因为$_SESSION变量消失了!
我正处于process_login.php脚本向我显示$_SESSION已设置的位置,然后我使用header("Location: protected.php");然后告诉我$_SESSION数组为空。这怎么可能?我在这里错过了船......
以下是相关代码的部分:
process_login.php
process_login.php
include_once 'connect.php';
include_once 'functions.php';
sec_session_start();
if (isset($_POST['eml'], $_POST['h'])) {
$email = $_POST['eml'];
$pwd_hash = $_POST['h'];
if (login($email, $pwd_hash, $mysqli) == true) {
// in my situation, this returns true
// and the redirect to "protected.php" happens
header('Location: protected.php');
} else {
header("Location: error?err=Wrong password");
}
} else {
exit('Invalid Request');
}
login()功能
function login($email, $password, $mysqli) {
if ($stmt = $mysqli->prepare("SELECT id, email, pwd, salt FROM public WHERE email=? LIMIT 1")) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $email, $db_password, $salt);
$stmt->fetch();
$password = crypt($password, $salt);
if ($stmt->num_rows == 1) {
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
$status = "3";
$mysqli->query("INSERT INTO login_activity(user, status, ip)
VALUES ('$email', '$status', '{$_SERVER['REMOTE_ADDR']}')");
sleep(8);
header("Location: ../error?err=The account you try to access is currently blocked.");
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
$status = "1";
$mysqli->query("INSERT INTO login_activity (user, status, ip)
VALUES ('{$_SESSION['user_id']}', '$status', '{$_SERVER['REMOTE_ADDR']}')");
return true;
} else {
// Password is not correct
// We record this attempt in the database
$status = "2";
$mysqli->query("INSERT INTO login_activity(user, status, ip)
VALUES ('$email', '$status', '{$_SERVER['REMOTE_ADDR']}')");
sleep(3);
header("Location: ../error?err=Password is not correct.");
return false;
}
}
} else {
// No user exists.
sleep(2);
header("Location: ../error?err=No user exists.");
return false;
}
header("Location: ../error?err=You can't see this.");
return false;
} else {
header("Location: ../error?err=DB fail: ".$mysqli->error);
return false;
}
}
protected.php
protected.php
<?php
include_once 'connect.php';
include_once 'functions.php';
sec_session_start();
// $return = login_check($mysqli);
print_r(get_defined_vars());
// this outputs an empty $_SESSION array
exit;
功能sec_session_start()
function sec_session_start() {
$session_name = 'sec_session_id';
$secure = true;
$httponly = true;
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error?err=Could not initiate a safe session (ini_set)");
exit();
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
session_name($session_name);
session_start();
session_regenerate_id();
}
我试图看看如果我只是使用sec_session_start()启动会话会发生什么,结果如下:
include_once 'connect.php';
include_once 'functions.php';
sec_session_start();
$_SESSION["test"] = "works!";
header('Location: protected.php');
print_r(get_defined_vars());中protected.php的输出为:
[_SESSION] => Array ( )
答案 0 :(得分:0)
这可能对许多会话问题有所帮助。我已经使用PHP多年了,喜欢它, 但它很奇怪!
在此代码中 -
page1.php中
<?phpsession_start();?>
<?php
$_SESSION['roman']="kitty";
echo ('<a href="page2.php"> Go To Page 2</a>');
?>
使page2.php
<?php session_start();?>
<?php
echo $_SESSION['roman'];
?>
注意第1页'phpsession_start()'中没有空格, 但我确实在第2页的'php session_start()'中使用了一个空格。
在page2中使用NO空格,会话变量消失了。有一个空间,它工作正常。 在第1页中,它无关紧要,无论是有空还是无空。我有其他脚本在哪里 这是相反的。只会在没有空间的情况下工作!所以要尝试检查。
现在很多人可能会粘贴此代码并使其正常工作,或者根据我的描述不起作用,但这就是原因 它很古怪!