-2
我正在爲一個個人項目工作,在那裏我正在開發一個簡單的登錄系統,它具有簡單的授權方法,如is_logged_in,登錄,註冊和註銷。如何使登錄會話更安全?
我想知道如何讓我的登錄系統安全免於劫持,中間人和修復?
這裏是我的代碼:
class Auth extends Session
{
public $ip_address;
public $timestamp;
public $user_agent;
public function __construct()
{
$this->ip_address = $_SERVER['REMOTE_ADDR'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];
$this->timestamp = date('Y-m-d H:i:s');
}
public function login($table = 'users',$username,$password,$username_column = 'username',$password_column = 'password')
{
if(!isset($username,$password))
{
return FALSE;
} else {
$username = mysql_real_escape_string($username);
$password = md5(strip_tags($password));
$query = "SELECT * FROM $table WHERE $username_column='$username' AND $password_column='$password'";
if(mysql_num_rows($query) != 0)
{
$session_vars = array(
'session_id' => session_id(),
'username' => stripcslashes($username),
'ip_address' => $this->ip_address,
'user_agent' => $this->user_agent,
'timestamp' => $this->timestamp
);
$this->set_array($session_vars);
$session_query = "INSERT INTO sessions(session_id,username,ip_address,user_agent,timestamp)";
$session_query .= "VALUES('".implode(",'",$session_vars)."')";
mysql_query($session_query) or die(mysql_error());
return TRUE;
}else{
return FALSE;
}
}
}
您可以開始通過[salting your passwords]使其更安全(http://crackstation.net/hashing-security.htm) – 2012-07-10 15:38:04
使用SSL/TLS進行登錄和後續請求以阻止MITM,更改會話ID登錄和格雷格說,鹽你的密碼,不要使用md5來存儲它們。 https://www.owasp.org/index.php/Cheat_Sheets – drew010 2012-07-10 15:38:44