常见的登录方案
- 用户名、密码表单提交
- 有效Session
- 记住我(remember me)
登录机制
if (!empty($_SESSION['user_name']) && ($_SESSION['user_logged_in'] == 1)) {//login with session
$this->user_name = $_SESSION['user_name'];
$this->user_email = $_SESSION['user_email'];
// set logged in status to true, because we just checked for this:
// !empty($_SESSION['user_name']) && ($_SESSION['user_logged_in'] == 1)
// when we called this method (in the constructor)
$this->user_is_logged_in = true;
} else if (isset($_COOKIE['rememberme'])) {//login with cookie
if (isset($_COOKIE['rememberme'])) {
// extract data from the cookie
list ($user_id, $token, $hash) = explode(':', $_COOKIE['rememberme']);
// check cookie hash validity
if ($hash == hash('sha256', $user_id . ':' . $token . COOKIE_SECRET_KEY) && !empty($token)) {
//$exist = Query DB => "user_id", "user_rememberme_token"
if ($exist) {
$_SESSION['user_id'] = $exist->user_id;
$_SESSION['user_name'] = $exist->user_name;
$_SESSION['user_email'] = $exist->user_email;
$_SESSION['user_logged_in'] = 1;
//create new Remember Me Cookie
//generate 64 char random string and store it in current user data
$random_token_string = hash('sha256', mt_rand());
$sth = $this->db_connection->prepare("UPDATE users SET user_rememberme_token = :user_rememberme_token WHERE user_id = :user_id");
$sth->execute(array(':user_rememberme_token' => $random_token_string, ':user_id' => $_SESSION['user_id']));
//generate cookie string that consists of userid, randomstring and combined hash of both
$cookie_string_first_part = $_SESSION['user_id'] . ':' . $random_token_string;
$cookie_string_hash = hash('sha256', $cookie_string_first_part . COOKIE_SECRET_KEY);//COOKIE_SECRET_KEY 私钥
$cookie_string = $cookie_string_first_part . ':' . $cookie_string_hash;
//set cookie
setcookie('rememberme', $cookie_string, time() + 86400, "/", COOKIE_DOMAIN);//COOKIE_DOMAIN 域名
}
}
}
} else if (isset($_POST["login"])) {//if user just submitted a login form
if (!isset($_POST['user_rememberme'])) {
$_POST['user_rememberme'] = null;
}
// if this user not exists
// $result_row = QUERY DB
if (! isset($result_row->user_id)) {
$this->errors[] = MESSAGE_LOGIN_FAILED;
} else if (($result_row->user_failed_logins >= 3) && ($result_row->user_last_failed_login > (time() - 30))) {
$this->errors[] = MESSAGE_PASSWORD_WRONG_3_TIMES;
// using PHP 5.5's password_verify() function to check if the provided passwords fits to the hash of that user's password
} else if (! password_verify($user_password, $result_row->user_password_hash)) {
// increment the failed login counter for that user
$sth = $this->db_connection->prepare('UPDATE users '
. 'SET user_failed_logins = user_failed_logins+1, user_last_failed_login = :user_last_failed_login '
. 'WHERE user_name = :user_name OR user_email = :user_name');
$sth->execute(array(':user_name' => $user_name, ':user_last_failed_login' => time()));
$this->errors[] = MESSAGE_PASSWORD_WRONG;
} else if ($result_row->user_active != 1) { // has the user activated their account with the verification email
$this->errors[] = MESSAGE_ACCOUNT_NOT_ACTIVATED;
} else {
// write user data into PHP SESSION [a file on your server]
$_SESSION['user_id'] = $result_row->user_id;
$_SESSION['user_name'] = $result_row->user_name;
$_SESSION['user_email'] = $result_row->user_email;
$_SESSION['user_logged_in'] = 1;
// reset the failed login counter for that user
$sth = $this->db_connection->prepare('UPDATE users '
. 'SET user_failed_logins = 0, user_last_failed_login = NULL '
. 'WHERE user_id = :user_id AND user_failed_logins != 0');
$sth->execute(array(':user_id' => $result_row->user_id));
}
}
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。