问题
I have a mysql table with userid, usernames and passwords and if the given password matches with the given username I create 3 cookies:
- userid
- username
- userpassword (md5) - I create this because I recheck the password and the username from the cookies when the user saves important settings (without asking the user to complete forms).
I'we heard that this is not secure and I should use a cookie only to store session id, and to store this data in sessions, but how would look the code for this?
And please explain the code, because I'm a beginner in PHP. Oh and I want to remember the users for a long period, I don't like websites where I need to login each time again. Please help me and explain me why is a method more secure than other?
Thanks!
Thanks for your answers! I need to compete my question: my website does not require higher security than a simple forum, so can somebody provide a code that has a only basic security level?
回答1:
First of all, when you say you're storing "passwords" in the database, please make sure you are storing encrypted passwords. If my password is "12345" and you're storing "12345" in your database, you've made it possible for somebody who gains access to your database to see everybody's passwords, and that's just horrifyingly bad.
So, at the very least, use a SHA1 or some other hash algorithm and store that in the database.
But on to your actual question, PHP has support for "sessions" built in, such that you don't need to worry about the low-level mechanics.
Call session_start(); at the top of your script (usually near the beginning of your configuration file or header file, or some other shared script that's included everywhere), and then you can store and retrieve information in the $_SESSION superglobal array.
So you might write:
$_SESSION['username'] = 'bob';
And then on some other page:
echo 'Hello, ' . $_SESSION['username'];
That session information will be available on any page where session_start(); has been run, and anything you put in $_SESSION is stored only on the server, so it's not possible for someone to see that information just by snooping through my browser cookies.
However, that does not mean that sessions are just inherently completely secure. Sessions work by storing a "session key" in a cookie, so my key might be "946433D47A824675DCB87AA372F31A7D9B255530F87A79264E416C253E9AB00E". Every time I visit a page, PHP retrieves all the $_SESSION data associated with that key, and makes it available to you.
But if someone discovers that key (again by, say, snooping through my browser cookies, or just "overhearing" a request I make to the server over an open Wi-Fi network), they could send the same key and PHP would gleefully give them access to my session.
If you only allow traffic over https this problem is largely mitigated, but it's still definitely worth understanding what's happening and how it might be exploited in situations where security matters.
回答2:
<?php
session_start();
$pwd=sha1($_POST['pwd']);
$login=$_post['username'];
$stmt = mysqli_prepare($con, "SELECT UID from LOGIN where userName=? and password=?");
mysqli_stmt_bind_param($stmt, "ss", $login,$pwd);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $uid);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
if (!is_null($uid))
$_SESSION['uid']=$uid;
?>
use SHA1, coz it is better than md5 and is faster too !
回答3:
using md5() function in php is not secure until and unless you are using ssl connection because this php function gets encrypted only after the form values reache to server. So the password you thought of encrypted gets transmitted in plain text format over the network.It is possible to intercept during the transmission, because form elements gets submitted in plain text format. To get rid of this security loophole, you can encrypt the password in the client level. such as using JavaScript. Such JavaScript codes are readily available in the internet like http://phpjs.org/functions/md5:469
To make it more secure you can apply md5 in client level for few times, like 2 times.
来源:https://stackoverflow.com/questions/5764359/how-to-create-a-secure-login-system-using-cookies-and-sessions