Witam prosze o opinie na temat skryptu logowania ... jak oceniacie jego bezpieczeństwo jako tylko i wyłącznie dostęp do pewnych danych na stronie przez jednego użytkownika powiedzmy admina bez ról itd ... Tylko nie bijcie :]
//Auth.php
<?php
class Auth {
public function __construct() {
$db = Db::getInstance();
$this->_dbh = $db->getConnection();
}
public function getLogin($user, $pass) {
if ((!empty($user)) && (!empty($pass))) {
$sth = $this->_dbh->prepare('SELECT * FROM users WHERE user = :user');
$sth->bindParam(':user', $user, PDO::PARAM_STR);
$sth->execute();
$result = $sth->fetch();
if (password_verify($pass, $result['pass'])) {
session_regenerate_id();
$_SESSION['is_login'] = true;
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user_data'] = $_SERVER['HTTP_USER_AGENT'];
} else {
echo 'nie poprawne dane błąd!';
}
}
}
public function is_login() {
if (isset($_SESSION['is_login']) && isset($_SESSION['is_login'])===true && isset($_SESSION['user_ip']) && isset($_SESSION['user_data'])) {
if ($_SERVER['REMOTE_ADDR'] === $_SESSION['user_ip'] && $_SERVER['HTTP_USER_AGENT'] === $_SESSION['user_data']) {
session_regenerate_id();
// echo session_id().'<br>';
return true;
} else {
return false;
}
} else {
return false;
}
}
}
?>
//Db.php
<?php
class Db
{
private $_connection;
private static $_instance; //The single instance
private $_host = 'localhost';
private $_port = 8080;
private $_username = 'root';
private $_password = '';
private $_database = 'testmilion';
/*
Get an instance of the Database
@return Instance
*/
public static function getInstance()
{
if (!self::$_instance) { // If no instance then make one
self::$_instance = new self();
}
return self::$_instance;
}
// Constructor
private function __construct()
{
try {
$this->_connection = new PDO("mysql:host=$this->_host;dbname=$this->_database", $this->_username, $this->_password);
$this->_connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$this->_connection->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC );
$this->_connection->query('SET CHARACTER SET utf8');
$this->_connection->query('SET NAMES utf8');
/*** echo a message saying we have connected ***/
// echo 'Connected to database';
} catch (PDOException $e) {
$e->getMessage();
die('<h1 style="color:red">Bład-przepraszmy za niedogodności </h1>');
}
}
// Magic method clone is empty to prevent duplication of connection
private function __clone()
{
}
// Get mysql pdo connection
public function getConnection()
{
return $this->_connection;
}
}
?>
//index.php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<?php
session_start();
require_once 'Db.php';
require_once 'Auth.php';
$auth = new Auth;
if ((isset($_POST['user'])) && (isset($_POST['pass']))) {
$auth->getLogin($_POST['user'], $_POST['pass']);
}
if ($auth::is_login()===true) {
echo 'zalogowany!!!!!!!!!!!!!!!!';
}else{
echo 'nie zalogowany';
}
?>
<div class="container-fluid ligh-bg2 table-1">
<div class="container table-cell height-100">
<div id="loginbox" class="mainbox col-lg-4 col-lg-offset-4 col-md-6 col-md-offset-3 col-sm-6 col-sm-offset-3 pd-zero">
<div class="panel panel-info " >
<div class="panel-heading">
<div class="panel-title">Panel logowania</div>
</div>
<div style="padding-top:30px" class="panel-body" >
<form id="loginform" class="form-horizontal" role="form" method="post">
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<input id="login-username" type="text" class="form-control" name="user" value="" placeholder="username or email">
</div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<input id="login-password" type="password" class="form-control" name="pass" placeholder="password">
</div>
<div style="margin-top:10px" class="form-group">
<!-- Button -->
<div class="col-sm-12 controls">
<input type="submit" class="blok-link line-height-20" value="zaloguj">
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<a class="blok-link" href="?action=logout" style="line-height: 100px">WYLOGUJ</a>
<?php
if (isset($_GET['action'])=='logout') {
session_unset();
session_destroy();
}
?>
</body>
</html>
w bazie wiadomo jest prosta tabela z kolumnami user i pass w postaci bcrypt