java ee 系統視頻

Preface

前言

This article introduces an authentication and authorization system for a website. ?It is understood by the author and the project contributors that there is no such thing as a "one size fits all" system. ?That being said, there is a certain set of common functionalities that should be employed in a website authentication and authorization system.

本文介紹了網站的身份驗證和授權系統。 作者和項目貢獻者都知道，沒有“一刀切”的系統。 話雖這么說，網站認證和授權系統中應該采用某些通用功能。

One article can not discuss all aspects of such a system at the level of detail required for every web developer, so this will be one of several articles.

一篇文章無法在每個Web開發人員所需的詳細程度上討論這種系統的所有方面，因此這將是幾篇文章之一。

The purpose of this article in to introduce an open source, collaborative project by various Experts-Exchange contributors, in providing a safe, secure, robust and extensible authentication system suitable for many websites. ?The Login System is more aptly called an authentication and authorization system as will be discussed in more detail in the following articles. ?At the end of this article you will have all you need for a login page.

本文的目的是介紹由各種Experts-Exchange貢獻者提供的開源協作項目，以提供適用于許多網站的安全，可靠，健壯和可擴展的身份驗證系統。 登錄系統更恰當地稱為身份驗證和授權系統，下面的文章將對此進行更詳細的討論。 在本文的結尾，您將擁有登錄頁面所需的全部內容。

Only you as a web developer can determine the needs of your website or web application. ?For the very impatient developer you can skip to Section "1. Prerequisites"

只有作為Web開發人員的您才能確定您的網站或Web應用程序的需求。 對于非常急躁的開發人員，您可以跳到“ 1.先決條件”部分

介紹 (Introduction)

"I need a login page for my website." A very common question here at Experts-Exchange, but not one which is simply answered. ?Why? Because a login page alone is insufficient. ?

這里是Experts-Exchange的一個非常常見的問題，但沒有一個簡單回答。 為什么？ 因為僅登錄頁面是不夠的。 ?

Any useful login system will be based on some type of database. ?If not directly tied to a network directory service provider such as Active Directory, LDAP/x500, or Novell eDirectory then a back end database is needed. ?On the internet a most websites use such a database driven system and not a directory service provider. ?The following discusses a complete authentication and authorization system for a website which will use a database and not be integrated with a network directory service provider.

任何有用的登錄系統都將基于某種類型的數據庫。 如果未直接綁定到Active Directory，LDAP / x500或Novell eDirectory等網絡目錄服務提供商，則需要后端數據庫。 在Internet上，大多數網站都使用這種數據庫驅動的系統，而不使用目錄服務提供商。 下面討論了一個完整的網站認證和授權系統，該系統將使用數據庫而不與網絡目錄服務提供商集成。

一般注意事項 (General Considerations)

假設登錄系統將由數據庫支持，則網站所有者或開發人員將需要執行許多任務才能進行網站登錄。 需要建立用戶數據庫并分配密碼。 將需要一種刪除或鎖定用戶帳戶的方法。 用戶將不可避免地忘記其用戶名或密碼，或者想要更改其密碼的能力，所有這些都增加了額外的管理開銷。 所有這些信息都必須以安全的方式傳達給用戶，并且普通電子郵件也不安全。 給定一個擁有許多用戶的熱門網站，這些功能可能會占用網站站長大量時間。

Any popular site, be it a social networking site or just a forum has not just a login page but a "Login System" consisting of many pages with various functions.

任何流行的網站，無論是社交網站還是論壇，都不僅具有登錄頁面，而且具有包含許多具有各種功能的頁面的“登錄系統”。

Commonly one would find a

通常人們會發現一個

Registration page,

注冊頁面

Registration Verification page, (more about this later,)

注冊驗證頁面，（稍后將對此進行詳細介紹）

A Cancel Registration page, (optional,)

取消注冊頁面，（可選）

The Login page,

登錄頁面，

A Log out page,

登出頁面，

A Recover Password page,

“恢復密碼”頁面，

A Change Password page,

更改密碼頁面，

A Cancel Account page, and

取消帳戶頁面，以及

A few others pages to support those listed.

其他幾頁支持列出的內容。

還有另一個認證系統？ -一些背景 (Yet Another Authentication System? ?-- Some Background)

當您還是個孩子時，您可能有一個樹屋，或者一群朋友開了一個俱樂部。 您將同意一種代碼或確認您的會員資格的特殊方式。 之所以有效，是因為您與“俱樂部”的其他成員有直接聯系，并且可以毫不費力地分享秘密。

This ability to share a secret became more and more difficult over the years. ?Many "secret" code systems were developed by military commanders since ancient times and many times those systems failed or were compromised by the enemy. ?A famous example was the breaking of the Enigma code system by Allied forces during World War II.

這些年來，共享秘密的能力變得越來越困難。 自古以來，軍事指揮官開發了許多“秘密”密碼系統，而這些系統很多時候都失敗了或被敵人攻陷了。 一個著名的例子是第二次世界大戰期間盟軍破壞了Enigma代碼系統 。

In the early 70's a group of computer scientists recognized that in the emerging digital world it was going to be even more difficult to keep secrets as there would be no reliable way to share a secret code. ?These men, Ron Rivest, Adi Shamir, and Len Adleman pioneered many cryptographic functions we now take for granted. ?RC4 and MD5 are two cryptographic algorithms still in use today. (They went on to found RSA security which is their initials)

在70年代初期，一群計算機科學家認識到，在新興的數字世界中，保守秘密將變得更加困難，因為沒有可靠的方法來共享秘密代碼。 這些人Ron Rivest ， Adi Shamir和Len Adleman率先開發了許多現在我們認為理所當然的加密功能。 RC4和MD5是當今仍在使用的兩種加密算法。 （他們繼續發現RSA安全性是他們的名字縮寫）

Two important keys to the success of their works were:

1. ?The first (known) method of a cryptographic method using a public and private key such that a person could create a secret message using the private key and a person possessing the public key could decrypt the secret message. ?Brute forcing the message was computationally infeasible, and if the public key was published you had non-repudiation. ?You could prove the only person who created the message possessed the private key; ergo 1.使用公鑰和私鑰的加密方法的第一種（已知）方法，這樣，一個人可以使用私鑰創建秘密消息，而擁有公鑰的人可以解密該秘密消息。 蠻力強制該消息在計算上是不可行的，并且如果公開密鑰已發布，則您不可否認。 您可以證明創建消息的唯一人員擁有私鑰； ergo S/MIME.S / MIME 。

2. ?More important here, was that they published the method of encryption for all to see. ?As a result, many mathematicians and cryptographers had the opportunity to scrutinize the work and discover early on any flaws. 2.此處更重要的是，他們發布了加密方法，供所有人查看。 結果，許多數學家和密碼學家有機會對這些工作進行審查，并盡早發現任何缺陷。

Given the argument that a just a login page is not sufficient for a web site, and having examined many examples of "Login System" tutorials which exist on the web; those were generally found to have unaddressed, known security flaws, (XSS, CSRF, and SQL injection to name a few). ?As a result, a group of expert contributors from Experts Exchange began an open source Web Login Project to provide essentially a plug-and-play solution for web developers.

考慮到僅有一個登錄頁面不足以構成一個網站的論點，并且已經研究了網絡上存在的許多“登錄系統”教程的示例； 通常發現這些漏洞具有未解決的已知安全漏洞（例如XSS ， CSRF和SQL注入 ）。 結果，來自Experts Exchange的一組專家撰稿人開始了一個開放源代碼的Web登錄項目，旨在為Web開發人員提供即插即用的解決方案。

It was troubling to the experts involved that the same or similar vulnerabilities plague websites, and have done so for many years. ?Among other security organizations, the OWASP publishes as Top Ten list of web vulnerabilities, found here: OWASP_Top_Ten_Project. ?Just as it is ill-advised for a developer to create their own cryptographic software without being an expert in the field of cryptanalysis and having their work examined by many other experts to ensure it is viable and safe, it is safe to draw a similar parallel, and say that a web-based authentication system should be produced by people with a demonstrated expertise in web development and should have been vetted by many other web developers to ensure the code is robust and correct. ?With that in mind, the primary goals of the Web Login Project focused on three areas:

困擾專家的是，相同或相似的漏洞困擾著網站，并且已經困擾了很多年。 在其他安全組織中，OWASP作為十大Web漏洞列表發布，可在以下位置找到： OWASP_Top_Ten_Project 。 正如不建議開發人員在沒有密碼分析專家的情況下創建自己的密碼軟件，并讓其他專家對其工作進行檢查以確保它的可行性和安全性一樣， 畫一個類似的平行圖也很安全。 ，并說基于Web的身份驗證系統應該由在Web開發方面具有豐富經驗的人員生產，并且應該已經由許多其他Web開發人員進行了審查，以確保代碼健壯和正確。 考慮到這一點，Web登錄項目的主要目標集中在三個領域：

2. ? Provide a means for web developers to chose which functions of the Login System they wish to implement, and

2.為Web開發人員提供一種選擇他們希望實現的登錄系統功能的方法，以及

3. ? Provide a project home where bugs, security vulnerabilities and feature enhancements may be tracked

3.提供一個項目主頁，可以在其中跟蹤錯誤，安全漏洞和功能增強

Of the three, the last one is the most important. ?No matter how many people may have been involved in the creation of the code, bugs and security vulnerabilities can be overlooked. ?Yet unknown vulnerabilities can be discovered in the future. ?Having a project home where these issues can be tracked and corrected is paramount in achieving the goal of providing robust and secure code, and ensuring it continues to remain that way.

在這三個中，最后一個是最重要的。 無論有多少人參與代碼的創建，錯誤和安全漏洞都可以忽略。 但是，將來可能會發現未知的漏洞。 擁有一個可以跟蹤和糾正這些問題的項目主頁對于實現提供健壯和安全的代碼并確保其繼續保持這種狀態至關重要。

As the project was conceptualized, some additional benefits were added to the design. Since the Login System must be flexible enough to be used in nearly any web site, it was designed to:

隨著項目的概念化，設計還增加了一些其他好處。 由于登錄系統必須足夠靈活才能在幾乎所有網站中使用，因此它旨在：

Be easy to incorporate in an existing website and be styled to take on the correct look and feel of the site (probably via CSS), and

易于整合到現有網站中，并可以使其具有正確的網站外觀和風格（可能通過CSS），并且

Provide a centralized configuration file which not only reduces the complications of implementing the Login System but which also provides the ability for the Login System to be internationalized by changing text and phrases used in those pages to languages other than US English.

提供集中的配置文件，該文件不僅可以減少實現登錄系統的復雜性，而且還可以通過將那些頁面中使用的文本和短語更改為美國英語以外的語言來使登錄系統國際化。

For the impatient, I will save the Login System design details for a follow-up article and get to the point on how you can obtain and implement the Login System on your website or web application. ?The initial code is being offered in PHP and ASP and while deemed functional and safe, already has additional enhancements in the works. ?Versions in English, French, German, Swedish, Spanish and Vietnamese have been developed and translations to Danish and Hindi are underway. ?Versions of the Login System in other web development languages and frameworks are planned as well as having additional languages supported.

對于不耐煩的人，我將保存登錄系統設計的詳細信息，以作為后續文章，并重點說明如何在您的網站或Web應用程序上獲取和實現登錄系統。 最初的代碼在PHP和ASP中提供，并且雖然被認為是功能和安全的，但已經在工作中進行了其他增強。 已經開發了英文，法文，德文，瑞典文，西班牙文和越南文版本，并正在翻譯成丹麥文和印地文。 還計劃了其他Web開發語言和框架中的登錄系統版本，并支持其他語言。

The remainder of this article will discuss:

本文的其余部分將討論：

2. ?How to protect individual pages from unauthorized access,

2.如何保護各個頁面免遭未經授權的訪問，

3. ?How to obtain the code for the Login System,

3.如何獲取登錄系統的代碼，

4. ?How to set up the necessary back-end database, and

4.如何設置必要的后端數據庫，以及

5. ?How to implement the pages you wish to include in your website.

5.如何實現您希望包含在網站中的頁面。

1個 (1)

PrerequisitesIn that the current release is in ASP and PHP code, the website will need to support one of those server-side languages.

先決條件由于當前版本使用ASP和PHP代碼，因此該網站將需要支持這些服務器端語言之一。

The web site will need a database to store user registration and authentication details as well as an optional logging table for auditing purposes. The initial code release supports:

該網站將需要一個數據庫來存儲用戶注冊和身份驗證詳細信息，以及一個可選的日志表以進行審核。 初始代碼版本支持：

MS Access on a Windows Server,

Windows Server上的MS Access，

MS SQL (including an express version, formerly MSDE), or

MS SQL（包括快速版本，以前稱為MSDE），或

MySql.

MySQL的。

It is assumed the web site has the following pages:

假定該網站具有以下頁面：

The home page

主頁

A contact page, (for contacting the webmaster,)

聯系人頁面（用于聯系網站管理員）

A page to direct unauthorized users, which we will refer to as the "Forbidden" page, and

引導未經授權的用戶的頁面，我們將其稱為“禁止”頁面，以及

A form error page (an example is supplied with the Login System code.)

表單錯誤頁面（“登錄系統”代碼提供了一個示例。）

2 (2)

How to protect individual pages from unauthorized access.Due to the customizations possible and the ability to translate the Login System into various world languages, constant values are extensively used. ?This may appear confusing to some in the following code examples.

如何保護各個頁面免遭未經授權的訪問。

All pages to be protected need a small amount of code near the beginning of the page to check that the user is logged on and authorized to see the page.

所有要保護的頁面在頁面開頭附近都需要少量代碼，以檢查用戶是否已登錄并有權查看該頁面。

To protect an ASP page, the page would obviously need the extension of .asp and would contain the following code at the beginning of the page.

為了保護ASP頁面 ，該頁面顯然需要擴展名為.asp，并且該頁面的開頭將包含以下代碼。

<% Option Explicit Session.CodePage=65001 Response.Charset="UTF-8" %> <!--#include file="include/loginGlobals.asp"--> <% If NOT Session("login") ThenResponse.Redirect "http://" & lg_domain & lg_loginPath & lg_loginPage &_"?p=" & Request.ServerVariables("SCRIPT_NAME") End If' Your page code here %>

The Login System's global configuration (and language) file is included as it is needed by the code that follows to determine the domain of the website, the path to the login page and the name of the login page.

包含以下代碼的登錄系統的全局配置（和語言）文件將用于確定網站的域，登錄頁面的路徑和登錄頁面的名稱。

The code determines if the users is logged in, and if not, redirects the user to the login page. ?The protected (current) page is passed as a parameter so that if the user successfully authenticates he would be redirected back to this page.

該代碼確定用戶是否已登錄，如果未登錄，則將用戶重定向到登錄頁面。 受保護的（當前）頁面作為參數傳遞，這樣，如果用戶成功進行身份驗證，他將被重定向回該頁面。

If the user is logged in, execution will continue with the code following the login check.

如果用戶已登錄，則登錄檢查后將繼續執行代碼。

To protect a PHP page it must have a .php extension and include the following code. ?As with the ASP example, we are explicitly setting our codepage to UTF-8, are including the Login System's global configuration file, and finally checking to see if the user is logged in.

要保護PHP頁面，它必須具有.php擴展名并包含以下代碼。 與ASP示例一樣，我們將代碼頁顯式設置為UTF-8，包括Login System的全局配置文件，最后檢查用戶是否已登錄。

<% <?PHP setlocale(LC_ALL, 'English_United States.65001'); if (!isset($_SESSION)) {session_start(); } include "include/loginGlobals.php";if (!$_SESSION["login"]) {header("Location: https://" . lg_domain . lg_loginPath . lg_loginPage ."?p=" . $_SERVER["SCRIPT_NAME"]); }' Your page code here ?>

3 (3)

How to obtain the code for the Login SystemThe official downloads of the latest version of the Login System code and supporting HTML or XHTML markup can be found under the downloads tab at the code project's home on Google Code, at http://code.google.com/p/loginsystem-rd/.

如何獲取登錄系統的代碼可以在Google Code上代碼項目主頁的http：// code的下載選項卡下找到最新版本的Login System代碼的正式下載，并支持HTML或XHTML標記。 google.com/p/l oginsystem -rd / 。

An example MS Access database file is available as are the SQL scripts needed to create either a MS SQL or MySql database.

提供了一個MS Access數據庫文件示例，以及創建MS SQL或MySql數據庫所需SQL腳本。

In addition to listing the project's initial contributors, the implementation page on the Wiki and the Issue Tracking tabs should be consulted for any pertinent details not included in this article.

除了列出項目的初始貢獻者之外，還應查閱Wiki上的實施頁面和“問題跟蹤”選項卡，以獲取本文中未包含的任何相關詳細信息。

For example: if a Cold Fusion or .NET version is released, implementation details will most likely appear first on the project's Google Code home before this article is updated.

例如：如果發布了Cold Fusion或.NET版本，則在更新本文之前，實現細節很可能會首先出現在項目的Google Code主頁上。

While the download packages may change in the future, a web developer will need to select for of the following downloads.

盡管下載包將來可能會更改，但Web開發人員將需要從以下下載中進行選擇。

2. ?The corresponding HTML 4.01 Strict markup templates if their site does not uses XHTML,

2.如果相應HTML 4.01 Strict標記模板的網站未使用XHTML，則為相應模板，

3. ?A database file or SQL script for creating the necessary database.

3.用于創建所需數據庫的數據庫文件或SQL腳本。

4 (4)

How to set up the necessary back-end databaseThere are currently three supported database back ends for the Login System.

如何設置必要的后端數據庫當前，登錄系統支持三個數據庫后端。

2. ?MS SQL Server (2000-2008 on Windows), and

2. MS SQL Server（在Windows上為2000-2008），以及

3. ?MySql (on any supported OS).

3. MySql（在任何受支持的操作系統上）。

The MS SQL Server and MySql databases are created by executing the supplied SQL scripts. ?If you do not know how to execute these scripts to create the necessary databases please post a question in the Miscellaneous Web Development, MS SQL or MySql zones at Experts Exchange. ?Note: ?You will want a separate account for the web user on those databases with Select, Update, Insert, and Delete permissions only. ?Do not run the Login System under an administrator's account.

通過執行提供SQL腳本來創建MS SQL Server和MySql數據庫。 如果您不知道如何執行這些腳本來創建必要的數據庫，請在Experts Exchange的其他Web開發，MS SQL或MySql區域中發布問題。 注意：您將需要為那些僅具有“選擇”，“更新”，“插入”和“刪除”權限的數據庫上的Web用戶提供單獨的帳戶。 不要以管理員帳戶運行“登錄系統”。

5 (5)

How to implement the pages you wish to include in your website.It is suggested you add a directory under the web root called "login-system" and add a directory called "include" under the "login-system" directory. ?In fact, this is how the Login System files are packaged for delivery. ?As packaged, the files in the "login-system" directory are simply meant as examples. ?They include the bare minimum information for you to incorporate the Login System into your web pages and are intended to be replaced by your pages (with the necessary modifications to incorporate the Login System.)

如何實現您希望包含在網站中的頁面。 建議您在Web根目錄下添加一個名為“ login-system ”的目錄，并在“ login-system”目錄下添加一個名為“ include ”的目錄。 實際上，這就是登錄系統文件打包交付的方式。 打包后，“ login-system”目錄中的文件僅作為示例。 它們包括用于將登錄系統合并到您的網頁中的最低限度的最低信息，并打算用您的頁面替換（進行必要的修改以合并登錄系統。）

The files in the /login-system/include/ directory do all the work and should not be altered.

/ login-system / include /目錄中的文件可以完成所有工作，因此不應更改。

Implementing the Login System in your web pages simply means you would include certain library files and (X)HTML markup in your pages to obtain the Login System functionality. ?It also means you would at a minimum include the META tag for UTF-8 support:

在網頁中實現登錄系統只是意味著您將在頁面中包含某些庫文件和（X）HTML標記以獲得登錄系統功能。 這也意味著您至少要包括支持UTF-8的META標簽：

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

An examination of the source code for the page shows (abbreviated) the following general markup structure. ?It is important to note the area above the top of the <!DOCTYPE...> declaration and the bolded area where the main content would appear.

檢查頁面的源代碼將顯示（縮寫）以下常規標記結構。 重要的是要注意<！DOCTYPE ...>聲明上方的區域以及主要內容將出現的粗體區域。

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"><head> <title>HTML & DOM Tips And Tutorials</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head><body> <div id="topmenu">...</div> <div id="banner">...</div> <div id="mainmenu">...</div> <div id="middle"><div id="content"><div><a name="main_content">...</div></div> <!--content--> </div> <!--nav--><div id="right">...</div> </div> <!--middle--></body> </html>

To make this a login page using the supplied Login System code would require some code be included in the page at these two locations. ?Above the <DOCTYPE...> we plug in the files which enable the login page functionality as well as setting the UTF-8 code page 65001. ?In the main content area we plug in the markup for the login form. ?That's it! ?You have a functional login page, e.g. Plug and Play.

要使用提供的登錄系統代碼將其設為登錄頁面，則需要在頁面上的這兩個位置包含一些代碼。 在<DOCTYPE ...>上方，我們插入啟用登錄頁面功能以及設置UTF-8代碼頁65001的文件。在主要內容區域中，我們插入登錄表單的標記。

<?PHP setlocale(LC_ALL, 'English_United States.65001'); if (!isset($_SESSION)) {session_start(); }include "include/generalPurpose.php"; include "include/form_token.php"; include "include/loginGlobals.php"; include "include/database.php"; include "include/login.php"; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <title>HTML & DOM Tips And Tutorials</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <div id="topmenu">...</div> <div id="banner">...</div> <div id="mainmenu">...</div> <div id="middle"> <div id="content"> <div><a name="main_content"><?PHP include "include/login-markup.php"; ?></div> </div> <!--content--> </div> <!--nav--> <div id="right">...</div> </div> <!--middle--> </body> </html>

At the top of the page, generalPurpose.php, form_token.php, loginGlobals.php, and database.php are library files common to most of the Login System pages. ?The login.php page contains the code for the login page to function and the login-markup.php code contains the form.

在頁面頂部，generalPurpose.php，form_token.php，loginGlobals.php和database.php是大多數“登錄系統”頁面共有的庫文件。 login.php頁面包含登錄頁面起作用的代碼，login-markup.php代碼包含表單。

<!-- XHTML 1.1 Strict --> <!-- 19 APR 2010 alpha 0.1 --> <div id="login-system"> ...the form markup </div>

All Login System markup looks similar to the above. ?There are two comments with the type of markup and the revision. ?The content is contained within division tags with the ID of "login-system." All items in the markup have the necessary IDs or other attachment hooks for CSS styling, allowing the markup to be styled as desired by the web developer implementing the login system. ?All pages in the Login System (but one) are the same. ?There is code to included above the <!DOCTYPE...> as well as a corresponding markup file to be included in the main content area. ?The logout page can be used as delivered as it is only momentarily executed before redirecting to the "logged out" page.

所有登錄系統標記看起來都與上面相似。 標記和修訂的類型有兩個。 內容包含在ID為“ login-system”的分區標記中。 標記中的所有項目都具有CSS樣式所需的ID或其他附件鉤子，從而允許實現登錄系統的Web開發人員根據需要對標記進行樣式設置。 登錄系統中的所有頁面（但只有一個）是相同的。 在<！DOCTYPE ...>上方包含代碼，并且在主要內容區域包含相應的標記文件。 登出頁面可以按原樣使用，因為它只是在重定向到“登出”頁面之前暫時執行。

6 (6)

Global configurationThe loginGlobals.php page is the configuration file and holds the constants needed on each Login System page. Some important configuration details are:

全局配置 loginGlobals.php頁面是配置文件，其中包含每個Login System頁面上所需的常數。 一些重要的配置詳細信息是：

The domain, set in the constant

域，設置為常量

lg_domain (and lg_domain （和lg_domain_secure). ?The second constant is primarily intended for persons using a shared SSL certificate which may have a different domain name than the main site's domain. lg_domain_secure ）。 第二個常量主要供使用共享SSL證書的人員使用，該SSL證書的域名可能與主站點的域不同。

The webmaster e-mail address, set in

網站管理員的電子郵件地址，設置為

lg_webmaster_email and lg_webmaster_email和lg_webmaster_email_link. lg_webmaster_email_link 。

The path to the Login System files. ?Usually you would leave that as "/login-system/" but an advanced user may wish to relocate those files.

登錄系統文件的路徑。 通常，您將其保留為“ / login-system /”，但是高級用戶可能希望重定位這些文件。

The full paths and names of the home page, the contact page, the

主頁，聯系頁面，網站的完整路徑和名稱

form_error page and the form_error頁面和forbidden page. ?These need not, and probably will not, be in the /login-system/ directory. 禁止頁面。 這些不需要也可能不在/ login-system /目錄中。

Database configuration details, (host or path, database catalog, userid and password.) These are in the loginGlobals page for ASP code and in the database.php file for PHP code.

數據庫配置詳細信息（主機或路徑，數據庫目錄，用戶名和密碼。）這些在ASP代碼的loginGlobals頁面中，在PHP代碼的database.php文件中。

The settings for SSL, debugging, and logging logins. ?As delivered, the setting for

SSL，調試和日志登錄的設置。 交付時，

lg_useSSL, and lg_useSSL和lg_debug are set to false. ?Assuming you have an SSL certificate your would change lg_useSSL to true and leave lg_debug set to false. ?lg_debug set to true would reveal very sensitive data not for the public's viewing. ?It should only be enabled if your were asked to do so by an expert assisting you with a problem. lg_debug設置為false。 假設您具有SSL證書，則可以將lg_useSSL更改為true，并將lg_debug設置為false。 將lg_debug設置為true會顯示非常敏感的數據，而不供公眾查看。 僅當專家協助您解決問題時，才應啟用此功能。

Lastly,

最后，

lg_log_logins is set to true. ?This is important so you have an audit trail of activity (as well as the entries in the loginAttempts table.) It is suggested you leave that constant set to true. lg_log_logins設置為true。 這一點很重要，因此您需要進行活動的審核跟蹤（以及loginAttempts表中的條目。）建議您將該常數設置為true。

7 (7)

What is set by the Login System?Assuming a successful login, the session variables "login" is set to true, "userid" is set to the user's userid, and "name" is set to the user's name.

登錄系統設置了什么？ 假設登錄成功，則將會話變量“ login ”設置為true，將“ userid ”設置為用戶的userid，將“ name ”設置為用戶的名稱。

Session("login") or $_SESSION["login"] is what you use to determine on protected pages if the user has already authenticated.

Session（“ login”）或$ _SESSION [“ login”]是用于在受保護頁面上確定用戶是否已通過身份驗證的內容。

Session("userid") or $_SESSION["userid"] is for displaying content specific for that user. ?You would never display the userid on any web page in your site. T hat may allow a malicious user to attempt a brute force attack on that userid. Display the user's name, (Session("name") or $_SESSION["name"]) instead.

Session（“ userid”）或$ _SESSION [“ userid”]用于顯示特定于該用戶的內容。 您將永遠不會在您網站的任何網頁上顯示用戶ID。 這可能允許惡意用戶對該用戶標識進行暴力攻擊。 顯示用戶名（Session（“名稱”）或$ _SESSION [“ name”]）。

If the user selected "Remember Me" from the login form, a permanent cookie called "login" is stored with that user's userid.

如果用戶從登錄表單中選擇“記住我”，則將永久存儲名為“ login”的cookie以及該用戶的userid。

If you are using the ASP code, a cookie containing a cryptographic token (hash) is stored as part of an anti-Session Fixation method.

如果使用的是ASP代碼，則將包含加密令牌（哈希）的cookie存儲為反會話固定方法的一部分。

8 (8)

Where do I get the code?The Login System home is the Google Code repository located at:

我從哪里獲得代碼？ 登錄系統主頁是位于以下位置的Google Code存儲庫：

http://code.google.com/p/loginsystem-rd/ http://code.google.com/p/loginsystem-rd/

9 (9)

Where can I see the code in use?The Login System maintains a web host at http://www.webloginproject.com/?where you will find many demonstration sites.

在哪里可以看到正在使用的代碼？ 登錄系統在http://www.webloginproject.com/上維護一個Web主機，您可以在其中找到許多演示站點。

10 (10)

Where do I get help?

我在哪里可以得到幫助？

For help implementing the Login System or creating the database needed you should post a question at Experts Exchange in Miscellaneous Web Development, PHP or ASP, and/or the appropriate database forum. ?(You are allowed three topic areas for your question.)

為了幫助實現登錄系統或創建所需的數據庫，您應該在其他Web開發，PHP或ASP的Experts Exchange和/或適當的數據庫論壇中發布問題。 （您可以在三個主題區域中提出問題。）

11 (11)

I want to help.We want your help! If you can translate the Login System into another language, implement a version in another web development code, (Cold Fusion, VB.NET, C#.NET, Zend framework), please contact the author.

我想幫忙 如果您可以將登錄系統翻譯成另一種語言，請使用另一種Web開發代碼（ColdFusion，VB.NET，C＃.NET，Zend框架）實現一個版本，請與作者聯系。

12 (12)

Why should I use this Login System?It was developed by over 16 Experts with an average rank of Genius or above and a combined point total of over 59 million Expert Points. ?It is robust, secure and vetted code. ?It has been placed in the public domain and will continue to be developed not only by the original experts, but by other experts long after the original experts are gone.

為什么要使用此登錄系統？ 它由超過16位平均天才或以上才能的專家開發，總得分超過5900萬專家點。 它是健壯，安全和經過審查的代碼。 它已被置于公共領域，并且不僅會由原始專家繼續開發，而且會在原始專家離開后很長時間繼續由其他專家開發。

13 (13)

What are the key features, design philosophy, and development requirements of the Login System?Read the next article:

登錄系統的主要功能，設計理念和開發要求是什么？ 閱讀下一篇文章：

The EE Collaborative Login System Part Two - Design ConsiderationsEE協作登錄系統第二部分-設計注意事項

Contributors:

貢獻者：

rdivilbiss ? ? Project Leadrdivilbiss項目負責人

Alphabetically

按字母順序

b0lsc0ttb0lsc0tt jason1178杰森1178 jkrk kaushal考沙爾 lherrou勒魯魯 mark_willsmark_wills ModernMatt現代馬特 mplungjanmplungjan mwvisa1mwvisa1 Netminder網民 Ray_Paseur雷·帕瑟 roonaan魯南 RQuadlingRQuadling stone5150石頭5150 sunnycoder Sunnycoder

翻譯自: https://www.experts-exchange.com/articles/2902/A-Better-Website-Login-System-the-EE-Collaborative-Login-System.html

java ee 系統視頻

總結

以上是生活随笔為你收集整理的java ee 系统视频_更好的网站登录系统，EE协作登录系统的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。