I am currently involved in authorization, using PHP + MySQL. Here I would like to ask, interesting solutions for security authorization, maybe someone has their own interesting solutions, "pick it up" - who does not mind, share. In advance, thank you!
Dex
8,630 3 gold marks 28 silver marks 57 bronze marks
V_Tjuryakin V_Tjuryakin
710 5 silver marks 20 bronze marks
|
1 answer
When authorizing, I add keys to the session:
function auth($login, $pass) { if((isset($login))&&(isset($pass))) { if(!CheckWord($login)) return false; include("config.php"); include("sql.php"); $sql = "SELECT id, Name, access_level FROM ".$config['prefix']."users WHERE login='$login' and pass='".hash_gen($pass)."'"; $st=false; $rs=mysql_query($sql, $conn); while($row = mysql_fetch_array($rs)) { $st=true; $_SESSION['id'] = $row['id']; $_SESSION['aceess_level'] = $row['aceess_level']; $_SESSION['name'] = $row['Name']; // $_SESSION['SName'] = $row['SName']; $_SESSION['login'] = $login; //Генерируем ключи в Сессию! $_SESSION['key'] = base64_encode(pack("H*", sha1(utf8_encode($row['id'].$login.$config['key']).$_SERVER["REMOTE_ADDR"].$_SERVER['HTTP_USER_AGENT']))); $_SESSION['auth'] = true; if(HaveNotResume()) $_SESSION['resume'] = true; else $_SESSION['resume'] = false; mysql_query("UPDATE ".$config['prefix']."users SET lastaccess=".time()." WHERE id='".$row['id']."'", $conn); } return $st; } } Then I check the data in the right place:
function FireWall() { include("config.php"); if($_SESSION['auth']) { if($_SESSION['key'] == base64_encode(pack("H*", sha1(utf8_encode($_SESSION['id'].$_SESSION['login'].$config['key']).$_SERVER["REMOTE_ADDR"].$_SERVER['HTTP_USER_AGENT'])))) { return true; } else { //Сообщить о попытке взлома т.е добавить ЛОГ в Базу! add_log(5); session_destroy(); return false; } } else return false; } 
Farhod Farhod
182 2 gold marks 2 silver marks 15 bronze marks
- 3What is minus? This is a popular and reliable way to protect session cookies - put a signature on it. Only it is necessary to say “sign”, but not “add keys”. And it is desirable not to do one sha1, but to use HMAC. And it is desirable to explain the principle, and not throw out a bunch of krivenky code. - Ali
- My way) and then to your taste) - Farkhod
- @Ali, if inserting data from the user directly into the sql query is still considered a reliable way, then of course the question is
Чего минусуют?relevant. ;) - Visman
|