设置 cookie 来保存登录详细信息 PHP
我有一个典型的登录名(用户名、密码),并且还想包含一个“保存我的详细信息”复选框。登录表单将其值发布到login_script.php,如果登录成功,用户将被重定向到站点的主页。
我想使用此方法来保存登录详细信息
//Remember Me Function
if(isset($_POST['remember_me'])){
// Set a cookie that expires in 24 hours
setcookie("username",$username, time()+3600*24);
setcookie("password",$password, time()+3600*24);
}
现在据我了解, setcookie("username",$username, time()+3600*24);
必须设置在顶部在执行任何其他代码之前的 PHP 页面。
我的问题是,除非用户成功登录,否则我不想设置 cookie。但是,由于在登录测试后在脚本中间调用了设置 cookie 函数,因此它将不起作用。
有什么想法吗? 干杯。
I have a typical login (username, password) and also want to include a 'save my details' check box. The login form Posts its values to login_script.php and if the login is successful, the user is redirected to the main page of the site.
I'm tying to use this method to save the login details
//Remember Me Function
if(isset($_POST['remember_me'])){
// Set a cookie that expires in 24 hours
setcookie("username",$username, time()+3600*24);
setcookie("password",$password, time()+3600*24);
}
Now from what I understand, setcookie("username",$username, time()+3600*24);
must be set at the top of the PHP page before any other code is executed.
My issue is that I do not want to set the cookie unless the user has successfully logged in. However due to the set cookie function being called in the middle of the script after the login test, it will not work.
Any ideas?
Cheers.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
首先:不要将密码保存在 cookie 中!从安全角度来看,这是一个非常糟糕的主意。
至于你的问题:没有办法解决它,在设置 cookie 之前你不需要有任何输出。有两种方法可以实现此目的:
解决方案 1:登录页面始终重定向
让您的登录请求转到设置 cookie 的脚本(如果登录成功),然后始终 将用户重定向到另一个页面(例如欢迎屏幕,或者如果不成功则返回到登录页面)。登录脚本不会发出任何输出,因此您可以在重定向之前设置 cookie。
解决方案 2:输出缓冲
启动输出缓冲 在脚本的开头。检查登录成功后,首先设置 cookie,然后使用类似
ob_end_flush
。我个人认为解决方案#1 更优雅,功能更优越。
First of all: do not save passwords in a cookie! This is a very bad idea security-wise.
As for your problem: there is no way around it, you need to have no output at all before setting your cookie. There are two ways to achieve this:
Solution 1: the login page always redirects
Have your login requests go to a script which sets a cookie (if the login was successful) and then always redirects the user to another page (e.g. a welcome screen, or back to the login page if unsuccessful). The login script will not emit any output, therefore you can set cookies before redirecting.
Solution 2: output buffering
Start output buffering at the beginning of your script. After the check for successful login, set the cookie first and then stop output buffering with something like
ob_end_flush
.Personally I consider solution #1 to be more elegant and superior in function.
将密码存储在用户有权访问的地方(在客户端)是一种非常糟糕的做法。更糟糕的是,您在存储密码时没有对密码进行哈希或加密(客户端可以看到密码!)
一个好的安全策略并不是永远不允许任何人看到实际的密码。除非代码正在使用它。
您可以这样做:
或者您也可以对
但我总是推荐前者,因为它更容易实现,并且会话处理是由 PHP 完成的(除非您覆盖会话处理)
It's a very bad practice to store password in somewhere users have access (on the client side). Worse still, you did not hash or encrypt the password when storing the password (clients can see the password!)
A good security policy is not never allow anyone to see the actual password. Except when the code is working with it.
You can do this instead:
Or you can instead
But I always recommend the former because it's easier to implement and the session handling is done by PHP (unless you're overriding the session handling)