-ee -er_EE协作登录系统-实施

最新推荐文章于 2024-07-05 21:18:34 发布

cunchi8090

最新推荐文章于 2024-07-05 21:18:34 发布

阅读量508

点赞数

文章标签：数据库 java linux web python

原文链接：https://www.experts-exchange.com/articles/2918/The-EE-Collaborative-Login-System-Implementation.html

版权

-ee -er

Preface

前言

This is the third article about the EE Collaborative Login Project. A Better Website Login System introduces the Login System and shows how to implement a login page. The EE Collaborative Login System Part Two - Design Considerations discusses design considerations and security features.

这是有关EE协作登录项目的第三篇文章。更好的网站登录系统介绍了登录系统，并说明了如何实现登录页面。 EE协作登录系统第二部分-设计注意事项讨论了设计注意事项和安全功能。

This article will discuss implementation details. Before we get started the people who worked on this project took great care in removing vulnerabilities from the Login System code.

本文将讨论实现细节。在我们开始之前，从事该项目的人员非常仔细地从登录系统代码中消除了漏洞。

For it to actually remain secure, you have to kill any vulnerabilities in your site as well. One XSS vulnerability may allow a malicious person to gather the secure session id from one of your legitimate users and hijack that users account. The library files of the Login System can be put to good use to give you some proven good tools to help prevent vulnerabilities in your site.

为了使其真正安全，您还必须消除站点中的任何漏洞。一个XSS漏洞可能允许恶意软件从您的一个合法用户那里收集安全会话ID，并劫持该用户帐户。可以充分利用Login System的库文件，为您提供一些久经考验的好的工具，以帮助防止站点中的漏洞。

Introduction

介绍

There are several steps to setup the Login System on your website.

有几个步骤可以在您的网站上设置登录系统 。

You must set up a database for the Login System tables,

您必须为“登录系统”表设置数据库，

You must download the correct code for your environment,

您必须下载适合您环境的正确代码，

You must copy the files to your website,

您必须将文件复制到您的网站，

You must configure the system using the global configuration file, and

您必须使用全局配置文件来配置系统，并且

You must replace the example pages with your web pages incorporating the Login System include files.

您必须将示例页面替换为包含“登录系统”包含文件的网页。

1个 (1)

数据库设置

At the project's Google Code project home you will find an MS Access database file and SQL scripts to setup either an MS SQL Server database or MySQL database.

在该项目的Google Code项目主页上，您将找到一个MS Access数据库文件和SQL脚本来设置MS SQL Server数据库或MySQL数据库。

MS Access and MS SQL Server only run on MS Windows systems. MySql runs on MS Windows and many other operating systems.

MS Access和MS SQL Server仅在MS Windows系统上运行。 MySql在MS Windows和许多其他操作系统上运行。

The ASP code can use all three databases. The PHP code can only use the MySQL database as of this code release. (alpha 0.1, 20 APR 2010). PHP on Windows can use MS Access and MS SQL server but no database access code has been written for PHP on Windows using those databases.

ASP代码可以使用所有三个数据库。从此版本开始，PHP代码只能使用MySQL数据库。（alpha 0.1，2010年4月20日）。 Windows上PHP可以使用MS Access和MS SQL Server，但尚未使用Windows上PHP为这些数据库编写数据库访问代码。

MS Access

The file must be copied to a directory on your web server. That directory should have no other files, except MS Access database files. The permissions on the database file should be as follows:

该文件必须复制到Web服务器上的目录中。该目录应该没有其他文件，MS Access数据库文件除外。数据库文件的权限应如下所示：

Note that special permissions is checked. I believe that is inherited permissions.

请注意，将检查特殊权限。我相信是继承的权限。

To simplify generating the connection string for the file, you can temporarily add the code below as conntest.asp and load it in your browser.

为了简化为文件生成连接字符串的过程，您可以将下面的代码临时添加为conntest.asp并将其加载到浏览器中。

Connected to database 
Opened Database Okay 
1 1 
Connections 
<% 
CONNECTION_STRING = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source='c:\inetpub\wwwroot\login-system\database\login_system.mdb'"
%>

The output from the file should be similar to the above and gives you the connection string to the database. You will need that connection string when configuring the global configuration file.

文件的输出应与上面的输出相似，并为您提供与数据库的连接字符串。配置全局配置文件时，将需要该连接字符串。

MS SQL

Download the SQL script. Open the script in a text editor and copy the script and paste it into the query window of your MS SQL Server query tool. As various ISP's use different MS SQL Server administration tools, I have no screen shots to provide. Should you need help with you specific MS SQL Server administration tool, just post a question in one of the MS SQL server zones here at Experts-Exchange.

下载SQL脚本。在文本编辑器中打开脚本，然后复制脚本并将其粘贴到MS SQL Server查询工具的查询窗口中。由于各种ISP使用不同的MS SQL Server管理工具，因此我无法提供任何屏幕截图。如果您需要有关特定MS SQL Server管理工具的帮助，只需在Experts-Exchange的MS SQL Server区域之一中发布问题。

Executing the script will create the database. You will get the database connection string details from your ISP or Server Administrator. It should be similar to:

执行脚本将创建数据库。您将从ISP或服务器管理员那里获得数据库连接字符串的详细信息。它应该类似于：

"Provider=SQLOLEDB; Server=servername\instance,1433; UID=webuser; PWD=password; Database=loginproject"

In your database administration program, (or request that your ISP,) setup a website user account to the MS SQL database with db_datareader and db_datawriter permissions. Do Not run the Login System using the database administrator account!

在数据库管理程序中，（或请求您的ISP）使用db_datareader和db_datawriter权限为MS SQL数据库设置一个网站用户帐户。不要使用数据库管理员帐户运行登录系统 ！

MySQL

Download the SQL script for MySQL. Open the script in a text editor and copy the script and paste it into the script into your SQL query tool. Most ISPs and many in-house servers run phpMyAdmin. From the left column, upper row of icons, choose the SQL icon which will open the SQL query dialog. Paste the SQL script into the window and press the "GO" button to create the database.

下载MySQLSQL脚本。在文本编辑器中打开脚本，然后复制脚本并将其粘贴到SQL查询工具中。大多数ISP和许多内部服务器都运行phpMyAdmin。从左列图标的上一行，选择SQL图标，这将打开SQL查询对话框。将SQL脚本粘贴到窗口中，然后按“ GO”按钮创建数据库。

After creating the database, add a user to the database with Read, Write, Insert, and Delete permissions. Many times you can do this in phpMyAdmin. Some ISP's (including the host for this project) disable that functionality and provide alternative methods for creating database users. Do not run the Login System using the database administrator account!

创建数据库后，将具有读取，写入，插入和删除权限的用户添加到数据库中。很多时候，您可以在phpMyAdmin中执行此操作。一些ISP（包括该项目的主机）禁用了该功能，并提供了创建数据库用户的替代方法。不要使用数据库管理员帐户运行登录系统 ！

2 (2)

获取代码

Go to the Login System's Google Code project home and select the download tab.

转到登录系统的Google Code项目主页，然后选择下载标签。

Download the code package for your system in the language of your choice. Open the .zip package and unzip the contents to your local system. Leave the file structure intact.

以您选择的语言下载系统的代码包。打开.zip程序包，然后将内容解压缩到本地系统。保持文件结构完整。

Note the files in the "login-system" (top level) folder. As we will see below, these are simply example files. They contain a bare bones skeleton markup with the necessary included files to make the page function as well as the code and markup to make sure the page is served as UTF-8 which is necessary for most world languages other than English. You will be changing these files to match your web site.

请注意“登录系统”（顶级）文件夹中的文件。正如我们将在下面看到的，这些只是示例文件。它们包含一个基本骨骼标记，其中包含使页面功能正常运行所需的包含文件以及代码和标记，以确保页面用作UTF-8，这是除英语之外的大多数世界语言所必需的。

Now note the files in the login-system\include folder. These files are the code and library files that operate the Login System. You will not modify these files other than the loginGlobals configuration file (and the database file in PHP installations.)* Notice the library file for a page has a hyphen, i.e. change-password.asp. The actual Change Password page in the parent folder will use and underscore, i.e. change_password.asp, to help distinguish between files that otherwise have a shared name.

现在记下login-system \ include文件夹中的文件。这些文件是操作登录系统的代码和库文件。

* In special circumstances you might make a small change to the a markup file, such as the login file if you were removing the Remember Me checkbox and related text. These changes are for advanced users. Getting help in a question at Experts-Exchange from an expert experienced with the Login System is suggested in these cases.

3 (3)

将文件上传到Web服务器

FTP the files to your web server. I suggest you place the login-system folder in the web root folder. While you are free to put the files anywhere on your server and you can use the loginGlobals configuration file to move the folder and files to various locations, this will complicate any future upgrades. It will be much simpler to maintain if you keep the file structure intact.

通过FTP将文件传输到Web服务器。我建议您将登录系统文件夹放在Web根文件夹中。尽管您可以自由地将文件放置在服务器上的任何位置，并且可以使用loginGlobals配置文件将文件夹和文件移动到各个位置，但这会使将来的升级复杂化。 如果保持文件结构不变，则维护起来会容易得多。

4 (4)

使用全局配置文件配置系统

You need to be careful here. You are going to configure your system be editing the loginGlobals file. For most languages this file must be saved as a UTF-8 file. Make sure your editor of choice can properly save UTF-8 files. For Windows users DO NOT use Notepad or Wordpad. Visual Studio or PSPAD++ (freeware) can properly save UTF-8 files. Notepad says it can save a UTF-8 files but it does not work properly. For users of other operating systems, you will want to open a copy of loginGlobals, make a few changes, save the changed file and re-open the file to ensure the font formatting is unchanged.

您在这里需要小心。 您将通过编辑loginGlobals文件来配置系统。对于大多数语言，此文件必须另存为UTF-8文件。确保您选择的编辑器可以正确保存UTF-8文件。对于Windows用户，请勿使用记事本或写字板。 Visual Studio或PSPAD ++（免费软件）可以正确保存UTF-8文件。

The domain, set in the constant lg_domain (and lg_domain_secure). The second constant is primarily intended for persons using a shared SSL certificate which may have a different domain name than the main site's domain.

域，在常量lg_domain（和lg_domain_secure）中设置。第二个常量主要供使用共享SSL证书的人员使用，该SSL证书的域名可能与主站点的域不同。

The webmaster e-mail address, set in lg_webmaster_email and lg_webmaster_email_link.

网站管理员的电子邮件地址，在lg_webmaster_email和lg_webmaster_email_link中设置。

The path to the Login System files. Usually you would leave that as "/login-system/" but an advanced user may wish to relocate those files.

登录系统文件的路径。通常，您将其保留为“ / login-system /”，但是高级用户可能希望重定位这些文件。

The full paths and names of the home page, the contact page, the form_error page and the forbidden page. These need not, and probably will not, be in the /login-system/ directory.

主页，联系页面，form_error页面和禁止页面的完整路径和名称。这些不需要也可能不在/ login-system /目录中。

Database configuration details, you collected above in step 1, (host or path, database catalog, userid and password.) These are in the loginGlobals page for ASP code and in the database.php file for PHP code.

您在上面的步骤1中收集的数据库配置详细信息（主机或路径，数据库目录，用户ID和密码。）这些在ASP代码的loginGlobals页面中，在PHP代码的database.php文件中。

The settings for SSL, debugging, and logging logins. As delivered, the setting for lg_useSSL, and lg_debug are set to false. Assuming you have an SSL certificate your would change lg_useSSL to true and leave lg_debug set to false. lg_debug set to true would reveal very sensitive data not for the public's viewing. It should only be enabled if your were asked to do so by an expert assisting you with a problem.

SSL，调试和日志登录的设置。交付时，lg_useSSL和lg_debug的设置设置为false。假设您具有SSL证书，则可以将lg_useSSL更改为true，并将lg_debug设置为false。将lg_debug设置为true会显示非常敏感的数据，而不供公众查看。仅当专家协助您解决问题时，才应启用此功能。

Lastly, lg_log_logins is set to true. This is important so you have an audit trail of activity (as well as the entries in the loginAttempts table.) It is suggested you leave that constant set to true.

最后，将lg_log_logins设置为true。这一点很重要，因此您需要进行活动的审核跟踪（以及loginAttempts表中的条目。）建议您将该常数设置为true。

5 (5)

用您的网页替换示例页面

Above you un-zipped the packaged files. It was noted that the files in the "login-system" (top level) folder were examples to be replaced by your we pages. There is code in the example files you will need to include in your replacement page. You will need to keep the file names the same.

在上方，您解压缩了打包文件。注意，“登录系统”（顶级）文件夹中的文件是将由您的we页面替换的示例。示例文件中包含代码，您需要将其包含在替换页面中。您将需要保持文件名相同。

If you recall from Article 1 you will need to identify the "common content area" of your typical web page. It is likely that most if not all pages share a similar style or "template." You will likely have a page banner, a common navigation menu, and possibly a footer with links to such pages as Copyright, Privacy Policy and Terms of Use. There may be other shared content on your pages, but there is on each page a "common content area."

如果您从第1条中回顾过，您将需要识别典型网页的“公共内容区域”。大多数（如果不是全部）页面可能共享相似的样式或“模板”。您可能会有一个页面横幅，一个通用导航菜单，以及一个页脚，该页脚带有指向诸如版权，隐私权政策和使用条款之类页面的链接。您的页面上可能还有其他共享内容，但是每个页面上都有一个“公共内容区域”。

An examination of the source code for the page shows (abbreviated) the following general markup structure. It is important to note the area above the top of the <!DOCTYPE...> declaration and the bolded area where the main content would appear.

检查页面的源代码将显示（缩写）以下常规标记结构。重要的是要注意<！DOCTYPE ...>声明上方的区域以及主要内容将出现的粗体区域。

WILL INCLUDE SOME FILES HERE 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 

<head> 
<title>HTML & DOM Tips And Tutorials</title> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
</head> 

<body> 
<div id="topmenu">...</div> 
<div id="banner">...</div> 
<div id="mainmenu">...</div> 
<div id="middle"> 
  <div id="content"> 
    <div><a name="main_content"> 
WILL INCLUDE MARKUP HERE</div> 
  </div> <!--content--> 
</div> <!--nav--> 
  <div id="right">...</div> 
</div> <!--middle--> 

</body> 
</html>

Since we made a PHP login.php page in Article 1 we will make an ASP change_password.asp page in this example. The example page is as follows.

由于在第1条中创建了PHP login.php页面，因此在此示例中将创建ASP change_password.asp页面。示例页面如下。

<!--METADATA TYPE="typelib" uuid="00000205-0000-0010-8000-00AA006D2EA4" --> 
<% 
Option Explicit 
Session.CodePage=65001 
Response.Charset="UTF-8" 
%> 
<!--#include file="include/loginGlobals.asp"--> 
<!--#include file="include/hashSHA1.asp"--> 
<!--#include file="include/form_token.asp"--> 
<!--#include file="include/generalPurpose.asp"--> 
<!--#include file="include/paramSQL.asp"--> 
<!--#include file="include/CDOMailInclude.asp"--> 
<!--#include file="include/change-password.asp"--> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 
<head> 
<title><%=lg_term_change_password%></title> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<meta http-equiv="content-language" content="en-US" /> 
<meta name="language" content="en-US" /> 
<meta name="author" content="Roderick Divilbiss" /> 
<meta name="copyright" content="&copy; 2010 EE Collaborative Login Project http://www.webloginproject.com" /> 
<style type="text/css"> 
#details { font-family:Courier New; font-size:10pt; border:1px solid #000000; padding:10px; background-color:#FFE2C6; } 
#message { font-size:10pt; padding:10px; background-color:#FFFFCC; border:1px solid #000000; } 
#warning { font-size:10pt; font-weight:bold; padding:10px; background-color:#FFFFCC; color:#FF0000; border:1px solid #FF0000; } 
</style> 
</head> 

<body> 
<!--#include file="include/change-password-markup.asp"--> 
</body> 
</html>

The first line:

第一行：

<!--METADATA TYPE="typelib" ...uuid=... -->

is the type library for Microsoft's database abstraction object, e.g. ADO (Active Data Object) which is used to access the databases.

是Microsoft的数据库抽象对象的类型库，例如用于访问数据库的ADO（活动数据对象）。

The next three lines state we will explicitly declare variables, use the UTF-8 codepage, and use the UTF-8 character set. After these three lines, you may add any ASP code you might need to make your page operate properly.

接下来的三行指出，我们将明确声明变量，使用UTF-8代码页，并使用UTF-8字符集。在这三行之后，您可以添加使页面正常运行所需的任何ASP代码。

Following the small block of ASP code (larger if your page needs its own ASP code) we will have several included code and library files.

在一小段ASP代码之后（如果页面需要自己的ASP代码，则更大），我们将包含几个包含的代码和库文件。

2. A library to perform SHA1 hashing as ASP does not have that function.

2.作为ASP执行SHA1哈希的库不具有该功能。

3. The code for the anti-CSRF token (both writing and checking the token.)

3. 反CSRF令牌的代码（编写和检查令牌）。

4. A general purpose library file - Input Filtering, generating GUIDs, and verifying that a file exists in the web.

4.通用库文件-输入过滤，生成GUID并验证Web中是否存在文件。

5. A library to abstract commands

5.一个抽象命令的库

6. A library to encapsulate sending email via CDO.SYS.

6.一个用于封装通过CDO.SYS发送电子邮件的库。

7. The code for the change_password.asp page. (Remember the code file has a hyphen in its name, not an underscore.)

7. change_password.asp页的代码。（请记住，代码文件的名称中带有连字符，而不是下划线。）

<!--METADATA TYPE="typelib" uuid="00000205-0000-0010-8000-00AA006D2EA4" --> 
<% 
Option Explicit 
Session.CodePage=65001 
Response.Charset="UTF-8" 
%> 
<!--#include file="include/loginGlobals.asp"--> 
<!--#include file="include/hashSHA1.asp"--> 
<!--#include file="include/form_token.asp"--> 
<!--#include file="include/generalPurpose.asp"--> 
<!--#include file="include/paramSQL.asp"--> 
<!--#include file="include/CDOMailInclude.asp"--> 
<!--#include file="include/change-password.asp"--> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 

<head> 
<title>HTML & DOM Tips And Tutorials</title> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
</head> 

<body> 
<div id="topmenu">...</div> 
<div id="banner">...</div> 
<div id="mainmenu">...</div> 
<div id="middle"> 
  <div id="content"><!--#include file="include/change-password-markup.asp"--></div> <!--content--> 
</div> <!--nav--> 
  <div id="right">...</div> 
</div> <!--middle--> 

</body> 
</html>

You now have a change_password.asp page.

您现在有了一个change_password.asp页。

Summary

摘要

In Article 1 I introduced the Login System and demonstrated how to create the login page, very nearly, "Plug and Play." In Article 2 I explained the design considerations and security measures taken to avoid XSS, CSRF, SQL Injection, and Session Fixation vulnerabilities; which according to MITRE, SANS and OWASP plague websites still.

在第一篇文章中，我介绍了登录系统，并演示了如何创建登录页面，几乎就是“即插即用”。在第2条中，我解释了避免XSS，CSRF，SQL注入和会话固定漏洞的设计注意事项和安全措施。根据MITER ， SANS和OWASP的说法，该网站仍然受灾。

In this article I discussed how to set up your database, obtain the correct code for your environment, copy the files to your website, configure the system using the global configuration file, and merge the code from the example pages into your web pages.

在本文中，我讨论了如何设置数据库，获取适合您环境的正确代码，将文件复制到您的网站，使用全局配置文件配置系统以及将示例页面中的代码合并到您的Web页面中。

You have a good start on having a secure and robust authentication and authorization system. You still have more pages to merge, but it is just cut and paste.

您拥有安全可靠的身份验证和授权系统的良好开端。您仍然有更多页面要合并，但这只是剪切和粘贴。

As mentioned at the beginning of this article, you can use the library files from this project in other places in your web site. For example, if you already have a database and are executing dynamic queries on unfiltered form data, you now have the tools to lock those potential vulnerabilities out of your web site. And you might as well add an anti-CSRF token to that form while you're at it.

如本文开头所述，您可以在网站的其他位置使用此项目中的库文件。例如，如果您已经有一个数据库并且正在对未经过滤的表单数据执行动态查询，那么您现在可以使用这些工具将这些潜在的漏洞锁定在您的网站之外。您也可以在该表单上向该表单添加反CSRF令牌。

I hope you are able to put this Login System to good use on your site.

我希望您能够在您的站点上充分利用此登录系统 。

Thanks for your patience as I explained how this project came together and how you can benefit from its resulting code.

感谢您的耐心配合，因为我解释了该项目是如何组合在一起的，以及如何从其产生的代码中受益。

Regards,

问候，

Rod

竿

翻译自: https://www.experts-exchange.com/articles/2918/The-EE-Collaborative-Login-System-Implementation.html

-ee -er

cunchi8090

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
-ee -er_EE协作登录系统-实施

-ee -erPreface 前言 This is the third article about the EE Collaborative Login Project. A Better Website Login System introduces the 这是有关EE协作登录项目的第三篇文章。更好的网站登录系统引入了 Login System...
复制链接

扫一扫