设置 cookie 以保存登录详细信息 PHP
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4486177/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Set a cookie to save login details PHP
提问by Samuel Meddows
I have a typical login (username, password) and also want to include a 'save my details' check box. The login form Posts its values to login_script.php and if the login is successful, the user is redirected to the main page of the site.
我有一个典型的登录名(用户名、密码),还想包括一个“保存我的详细信息”复选框。登录表单将其值发布到 login_script.php,如果登录成功,用户将被重定向到站点的主页。
I'm tying to use this method to save the login details
我想使用这种方法来保存登录详细信息
//Remember Me Function
if(isset($_POST['remember_me'])){
// Set a cookie that expires in 24 hours
setcookie("username",$username, time()+3600*24);
setcookie("password",$password, time()+3600*24);
}
Now from what I understand, setcookie("username",$username, time()+3600*24);must be set at the top of the PHP page before any other code is executed.
现在据我所知,setcookie("username",$username, time()+3600*24);必须在执行任何其他代码之前设置在 PHP 页面的顶部。
My issue is that I do not want to set the cookie unless the user has successfully logged in. However due to the set cookie function being called in the middle of the script after the login test, it will not work.
我的问题是,除非用户成功登录,否则我不想设置 cookie。但是由于在登录测试后脚本中间调用了 set cookie 函数,因此它不起作用。
Any ideas? Cheers.
有任何想法吗?干杯。
回答by Jon
First of all: do not save passwords in a cookie!This is a very bad idea security-wise.
首先:不要将密码保存在 cookie 中!在安全方面,这是一个非常糟糕的主意。
As for your problem: there is no way around it, you need to have no output at all before setting your cookie. There are two ways to achieve this:
至于你的问题:没有办法解决它,在设置cookie之前你根本不需要输出。有两种方法可以实现这一点:
Solution 1: the login page always redirects
解决方案1:登录页面总是重定向
Have your login requests go to a script which sets a cookie (if the login was successful) and then alwaysredirects the user to another page (e.g. a welcome screen, or back to the login page if unsuccessful). The login script will not emit any output, therefore you can set cookies before redirecting.
让您的登录请求转到设置 cookie 的脚本(如果登录成功),然后总是将用户重定向到另一个页面(例如,欢迎屏幕,或者如果不成功则返回登录页面)。登录脚本不会发出任何输出,因此您可以在重定向之前设置 cookie。
Solution 2: output buffering
解决方案2:输出缓冲
Start output bufferingat the beginning of your script. After the check for successful login, set the cookie firstand then stop output buffering with something like ob_end_flush.
在脚本开头开始输出缓冲。检查成功登录后,首先设置 cookie ,然后使用类似ob_end_flush.
Personally I consider solution #1 to be more elegant and superior in function.
我个人认为解决方案#1 在功能上更加优雅和优越。
回答by mauris
It's a very bad practice to store password in somewhere users have access (on the client side). Worse still, you did not hash or encrypt the password when storing the password (clients can see the password!)
将密码存储在用户有权访问的地方(在客户端)是一种非常糟糕的做法。更糟糕的是,您在存储密码时没有对密码进行散列或加密(客户端可以看到密码!)
A good security policy is not never allow anyone to see the actual password. Except when the code is working with it.
一个好的安全策略不是永远不允许任何人看到实际的密码。除非代码正在使用它。
You can do this instead:
你可以这样做:
- Store the password in the session
- Extend the session expiry to a longer time
- 将密码存储在会话中
- 延长会话到期时间
Or you can instead
或者你可以代替
- hash and encrypt the password
- store the login information to a file on the server
- give the file a unique name
- store the name to a cookie
- each time you receive the cookie with the correct file name, look up the file and retrieve the login information.
- 散列并加密密码
- 将登录信息存储到服务器上的文件中
- 给文件一个唯一的名字
- 将名称存储到 cookie
- 每次您收到具有正确文件名的 cookie 时,请查找该文件并检索登录信息。
But I always recommend the former because it's easier to implement and the session handling is done by PHP (unless you're overriding the session handling)
但我总是推荐前者,因为它更容易实现并且会话处理由 PHP 完成(除非您覆盖会话处理)
