我有我的网站使用cookie登录和注销,它似乎工作正常,但我相信有一些安全问题,我不知道。我希望任何意见或见解能够使这一点更加安全。网站登录和注销
登录:
if(isset($_REQUEST['email']) && isset($_REQUEST['password'])) {
if ($result = $usersqli->query("SELECT * FROM users WHERE email='".$usersqli->real_escape_string($_POST['email'])."' AND password='".$usersqli->real_escape_string($_POST['password'])."'")) {
if ($result->num_rows==1){
$row = $result->fetch_object();
$_SESSION["uid"]=$row->id;
setcookie('email', $usersqli->real_escape_string($_REQUEST['email']), time()+60*60*24*365,'/');
setcookie('password', md5($_REQUEST['password']), time()+60*60*24*365,'/');
$usersqli->query("UPDATE users SET last_login=NOW() WHERE email='".$usersqli->real_escape_string($_POST['email'])."' AND password='".$usersqli->real_escape_string($_POST['password'])."'");
header('Location: index.php') ;
}else{
header('Location: index.php?show=login&err=Invalid login credentials') ;
}
}
}
注销:
setcookie('email','', time() - 60000);
setcookie('password', '', time() - 60000);
session_destroy();
header("Location: index.php");
页眉每一页:
if(!$_SESSION[uid] && $_REQUEST[show]!='logout'){
if (isset($_COOKIE['email']) && isset($_COOKIE['password'])) {
if ($result = $usersqli->query("SELECT * FROM users WHERE email='".$usersqli->real_escape_string($_COOKIE['email'])."'")) {
if ($result->num_rows==1){
$row = $result->fetch_object();
if(md5($usersqli->real_escape_string($row->password))==$_COOKIE['password']){
$_SESSION["uid"]=$row->id;
}
}
}
}
}
当然,第一个问题是在用户没有启用cookie时使其工作。 – drdwilcox
或至少警告用户,他们需要启用cookie才能使用网站 – Aerik
呃...把密码放在你的cookie里听起来不是一个好主意,对于初学者 –