PHP开发一个完整、安全的用户登录系统
在使用PHP编程的时候,我有一个习惯,不太喜欢使用现成的库文件,例如PHPLib或者其它类似的库,在这个系统中,我也打算自己写一个库文件,它需要处理认证、确认email,更新帐号(密码,email)等事情。
为了在保证该系统安全的同时,不会加重我现有数据库的负担。因此这个新的系统要依赖cookies。这确实是一个两难的选择,因为如果只是设置一个用户名的cookie,是很不安全的,这行不通,但从数据库的负担考虑,我也不能加入一个简单的无序码而交由我的数据库来进行验证。
解决的方法是同时设置两个cookie,一个是用户名的cookie,一个是无序码的cookie。这个无序码实际上是由用户名和一个超级密码(只有程序设计者知道)组合通过md5()函数运算产生的。由于md5()是一个单向的无序码,因此是不可以破解的。在用户更改email时,我也可以用该email和超级密码产生一个无序码,以让用户确认修改。这实际上是一个公匙/私匙类的系统。不明白?不要紧,下面再慢慢说明。
有趣的是,这个系统的扩展能力是可以达到无穷的,因为该系统的主要工作是计算md5()函数的值,而且由web服务器完成,在负载增加时,可以加入其它的服务器来分担负载,虽然认证系统不会拖跨一个数据库,但是这样做就让最终的瓶颈只能出现在数据库上。
以下是该库中的两个函数--记号产生和记号认证函数。
<?php<br> $hidden_hash_var='your_secret_password_here';<br> $LOGGED_IN=false;<br> unset($LOGGED_IN);<br> function user_isloggedin() {<br> global $user_name,$id_hash,$hidden_hash_var,$LOGGED_IN;<br> file://已经进行无序码的检测了吗<br> file://如果是的话,返回该变量<br> if ( isset($LOGGED_IN) ) {<br> return $LOGGED_IN;<br> }<br> file://are both cookies present?<br> if ($user_name && $id_hash) {<br> /*<br> 由cookies中得来的用户名和系统超级密码产生一个认证用的无序码如果该无序码与cookie中的无序码一样,则cookies中的变量是可信的,用户已经登录<br> */<br> $hash=md5($user_name.$hidden_hash_var);<br> if ($hash == $id_hash) {<br> file://无序码符合,设置一个全局变量,这样我们在再次调用该函数的时候,<br> file://就无需再次进行md5()运算<br> $LOGGED_IN=true;<br> return true;<br> } else {<br> file://两个无序码不符合,没有登录<br> $LOGGED_IN=false;<br> return false;<br> }<br> } else {<br> $LOGGED_IN=false;<br> return false;<br> }<br> }<br> function user_set_tokens($user_name_in) {<br> /*<br> 一旦用户名和密码通过验证,就调用这个函数<br> */<br> global $hidden_hash_var,$user_name,$id_hash;<br> if (!$user_name_in) {<br> $feedback .= ' ERROR - User Name Missing When Setting Tokens ';<br> return false;<br> }<br> $user_name=strtolower($user_name_in);<br> file://使用用户名和超级密码创建一个无序码,作判断是否已经登录用<br> $id_hash= md5($user_name.$hidden_hash_var);<br> file://设置cookies的有效期为一个月,可设置为任何的值<br> setcookie('user_name',$user_name,(time()+2592000),'/','',0);<br> setcookie('id_hash',$id_hash,(time()+2592000),'/','',0);<br> }<br> ?>再来看另一段有趣的代码,用户怎样才能安全地改变他们的email地址呢?他们可以在任何时候改变email地址,但是要进行确认。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1387
52
How to implement Redis Hash operation in php
May 30, 2023 am 08:58 AM
Hash operation //Assign values to fields in the hash table. Returns 1 on success and 0 on failure. If the hash table does not exist, the table will be created first and then the value will be assigned. If the field already exists, the old value will be overwritten. $ret=$redis->hSet('user','realname','jetwu');//Get the value of the specified field in the hash table. If the hash table does not exist, return false. $ret=$redis->hGet('user','rea
Laravel development: How to generate password hash using Laravel Hash?
Jun 17, 2023 am 10:59 AM
Laravel is currently one of the most popular PHP web frameworks, providing developers with many powerful features and components, among which LaravelHash is one of them. LaravelHash is a PHP library for password hashing that can be used to keep passwords secure and make your application's user data more secure. In this article, we will learn how LaravelHash works and how to use it to hash and verify passwords. Prerequisite knowledge in learning Lara
php提交表单通过后,弹出的对话框怎样在当前页弹出,该如何解决
Jun 13, 2016 am 10:23 AM
php提交表单通过后,弹出的对话框怎样在当前页弹出php提交表单通过后,弹出的对话框怎样在当前页弹出而不是在空白页弹出?想实现这样的效果:而不是空白页弹出:------解决方案--------------------如果你的验证用PHP在后端,那么就用Ajax;仅供参考:HTML code
How to solve the problem of docker mounting directory permissions
Feb 29, 2024 am 10:04 AM
In Docker, the permission problem of the mounting directory can usually be solved by the following method: adding permission-related options when using the -v parameter to specify the mounting directory. You can specify the permissions of the mounted directory by adding: ro or :rw after the mounted directory, indicating read-only and read-write permissions respectively. For example: dockerrun-v/host/path:/container/path:roimage_name Define the USER directive in the Dockerfile to specify the user running in the container to ensure that operations inside the container comply with permission requirements. For example: FROMimage_name#CreateanewuserRUNuseradd-ms/bin/
Understand the Hash algorithm and application scenarios in one article
Apr 13, 2023 am 11:55 AM
1. What is a hashing algorithm? Both hashing and hashing come from the word hash. The former is a transliteration and the latter is a free translation. It is an algorithm that can map a binary value of any length into a fixed-length binary value. The mapped fixed-length binary value is called a hash value. An excellent hash algorithm needs to meet the following requirements: it cannot reversely deduce the original data from the hash value; it is very sensitive to the input data, and a different bit will cause the hash value to be very different; the probability of hash conflict must be Very small; the calculation process of the hash algorithm must be simple and efficient enough, even if the original data is very long, the hash value can be obtained quickly; 2. Usage scenarios of the hash algorithm 2.1 Secure encryption The more common hash encryption algorithms include MD5 ( MD5 Message-Dige
Analysis of common operation examples of Hash, the basic data type of Redis
May 31, 2023 am 10:43 AM
Common operations of Redis data type Hash Hash in redis is a mapping table of string type fields and values. Particularly suitable for storing objects, each hash can store more than 4 billion key-value pairs. Children's shoes who are familiar with python can think of it as a dictionary dict. The previous data type storage was k-v, and the hash storage is k-dict, and the dict will have its own k-v. 1. hset assigns values to the fields in the hash table. If the hash table does not exist, create a new hash table and perform the hset operation. If the field already exists in the hash table, the old value will be overwritten. hsetmyhashk1v1 two, h
What should I do if php cannot get the name?
Nov 24, 2022 am 09:56 AM
PHP cannot get the name because when the name and id values of the form element are different, the browser cannot recognize it. The solution: 1. Check whether some form elements and frame elements use name; 2. Check only Elements that can be assigned ID but not name; 3. For multi-select box checkbox, you can use "join(',', $__POST['name'])" to form data.
How to add name to setup in Vue3
May 13, 2023 am 09:40 AM
What is the use of name in Vue3? 1. Name needs to be defined when making recursive components. 2. The component can be cached with keep-aliveincludeexclude. 3. When Vue reports an error or is debugging, you can see the name of the component. Vue3 defines name1. It is automatically generated as long as the setup syntax sugar mode single file component is turned on in the script. The corresponding name option will be automatically generated based on the file name. For example, Tree.vue, then its name will be automatically generated by Tree. This has a drawback. If you want to modify the name, you need to modify the component name. If there is a place to import the component, you need to modify it together. 2. Open a script to define name
