登录功能在子域上有效,但在主域上无效

问题描述 投票:1回答:1

我怎么会有一个脚本和一个登录功能在子域上工作,而在另一个域上却没有?使用相同的MySQL DB用户名和密码。相同的代码将不起作用。

    if(isset($_POST['Login'])) {

        try
        {
            // Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode.
            NoCSRF::check( 'csrf_token', $_POST, true, 60*10, false );
            $gump = new GUMP();
            $_POST = $gump->sanitize($_POST); // You don't have to sanitize, but it's safest to do      so.

            $is_valid = GUMP::is_valid($_POST, array(
                                    'entry' => 'required',
                                    'password' => 'required'

            ));
            if($is_valid === true) {
                login($db , $_POST['entry'] ,$_POST['password'] );

            }else{
                    $_SESSION['Error'] = $is_valid; // set error messages
                    header("location:".$_SERVER['PHP_SELF']); // redirect to php self
                    exit;
            }


        }
        catch ( Exception $e )
        {
            // CSRF attack detected
                    $result[] = 'Session expired form ignored try again .'; //$e->getMessage() . ' Form ignored.';
                    $_SESSION['Error'] = $result; // set error messages
                    header("location:".$_SERVER['PHP_SELF']); // redirect to php self
                    exit;
        }

}


function login($db , $entry , $password) {
        //session_destroy();
        $entry    = (string)$entry;
        $password = (string)$password;
        /* $db->select($table , $columns , $where ) */
        $datas    = $db->select("user", [
        "user_id",
        "username",
        "email"
        ],  [

         "AND"=>[

                "OR" => [
                    "username" => "$entry",
                    "email" => "$entry"
                    ],
                    "password"=>md5("$password"),
                    "status"  => '1',
                    "verify_status"  => '1',
                ]           

        ]);
        $error = $db->error(); // error
                    if(empty($error[2])) { // if error empty

                            if(is_array($datas) && count($datas) > 0) { // if select return result

                            extract($datas[0]);
                            $_SESSION['user_id']        = $user_id;
                            $_SESSION['user_name']      = $username;
                            $_SESSION['user_email']     = $email;
                            $_SESSION['user_is_logged'] = TRUE;
                            $_SESSION['Success'][] = "Successfully Logged In :)"; // set error messages
                            header("location:".BASE_URL); // redirect to php self
                            exit;
                            }else { // else invalid attempt
                            $_SESSION['Error'][] = "Invalid Credentials or you may not verified."; // set error messages
                            header("location:".$_SERVER['PHP_SELF']); // redirect to php self
                            exit;
                            }
                    }else {

                            $_SESSION['Error'][] = "Error on query.."; // set error messages
                            header("location:".$_SERVER['PHP_SELF']); // redirect to php self
                            exit;
                    }
}

因此,当我将代码移到catch块上时,就会激活,就像检测到CSRF攻击一样。到底发生了什么?NoCSRF和阿甘相同。常数是相同的。 .htaccess相同

authentication csrf login-script
1个回答
© www.soinside.com 2019 - 2024. All rights reserved.