Php Symfony2:安全/安全登录和注销
我应该添加什么来实现安全登录和注销 对于登录,我只需从数据库获取并验证信息,然后设置会话和Cookie:Php Symfony2:安全/安全登录和注销,php,security,symfony,login,logout,Php,Security,Symfony,Login,Logout,我应该添加什么来实现安全登录和注销 对于登录,我只需从数据库获取并验证信息,然后设置会话和Cookie: if ($users) { //$users - fetched array of users foreach ($users as $user) { $response->headers->setCookie(new Cookie('user', $cookie, $expire, $path = '/', $domain = '', $secure =
if ($users) { //$users - fetched array of users
foreach ($users as $user) {
$response->headers->setCookie(new Cookie('user', $cookie, $expire, $path = '/', $domain = '', $secure = false, $httpOnly = false));
$response->sendHeaders();
foreach ($user as $key => $value) {
//setting every user information to session except password
$session->set($key, $value);
}
}
}
$response->headers->clearCookie('user');
$response->sendHeaders();
$request->getSession()->invalidate();
$password = $user['password']; //is already in md5
$username = $user['email'];
$cookie = base64_encode ("$username:" . md5 ($password));
所有这些都存储在主控制器中。这确实不是实现登录和注销的好方法。看看Symfony2安全教程。使用UserProvider从数据库获取用户,如果成功,则设置安全令牌 首先——
MD5功能不再安全。如果您愿意,可以使用比salt更强大的密码编码功能。如果您实现了中所述的用户提供程序和存储库,您可以像这样以编程方式登录和注销用户 以下是一个示例实现: 登录:
$username=$user['email'];
$password=$user['password'];//注意:此时必须为纯文本
$User=$this->container->get('doctrine')->getManager()
->getRepository('TixysBackendBundle:User')
->findOneBy(数组('login'=>$username));
如果(!$User)抛出\异常(“未找到用户!”);
$factory=$this->container->get('security.encoder_factory');
$encoder=$factory->getEncoder($User);
$password=$encoder->encodePassword($password,$User->getSalt());
如果($password!=$User->getPassword())
抛出新的\异常(“错误的密码”);
//实际登录
$token=newusernamepasswordtoken($User,null,'secured_area',$User->getRoles());
$this->container->get('security.context')->setToken($token);
$this->container->get('security.context')->setToken(null);
$this->container->get('session')->invalidate();
//如果您存储了以前经过身份验证的用户的实例
//在某个地方,也摧毁那个实例。
鉴于您在
app/config/security.ymlinvalidate()