java ee 系统视频_更好的网站登录系统，EE协作登录系统

java ee 系统视频

Preface

前言

This article introduces an authentication and authorization system for a website. It is understood by the author and the project contributors that there is no such thing as a "one size fits all" system. That being said, there is a certain set of common functionalities that should be employed in a website authentication and authorization system.

本文介绍了网站的身份验证和授权系统。作者和项目贡献者都知道，没有“一刀切”的系统。话虽这么说，网站认证和授权系统中应该采用某些通用功能。

One article can not discuss all aspects of such a system at the level of detail required for every web developer, so this will be one of several articles.

一篇文章无法在每个Web开发人员所需的详细程度上讨论这种系统的所有方面，因此这将是几篇文章之一。

The purpose of this article in to introduce an open source, collaborative project by various Experts-Exchange contributors, in providing a safe, secure, robust and extensible authentication system suitable for many websites. The Login System is more aptly called an authentication and authorization system as will be discussed in more detail in the following articles. At the end of this article you will have all you need for a login page.

本文的目的是介绍由各种Experts-Exchange贡献者提供的开源协作项目，以提供适用于许多网站的安全，可靠，健壮和可扩展的身份验证系统。 登录系统更恰当地称为身份验证和授权系统，下面的文章将对此进行更详细的讨论。在本文的结尾，您将拥有登录页面所需的全部内容。

Only you as a web developer can determine the needs of your website or web application. For the very impatient developer you can skip to Section "1. Prerequisites"

只有作为Web开发人员的您才能确定您的网站或Web应用程序的需求。对于非常急躁的开发人员，您可以跳到“ 1.先决条件”部分

介绍 (Introduction)

"I need a login page for my website." A very common question here at Experts-Exchange, but not one which is simply answered. Why? Because a login page alone is insufficient. ¶

这里是Experts-Exchange的一个非常常见的问题，但没有一个简单回答。为什么？因为仅登录页面是不够的。 ¶

Any useful login system will be based on some type of database. If not directly tied to a network directory service provider such as Active Directory, LDAP/x500, or Novell eDirectory then a back end database is needed. On the internet a most websites use such a database driven system and not a directory service provider. The following discusses a complete authentication and authorization system for a website which will use a database and not be integrated with a network directory service provider.

任何有用的登录系统都将基于某种类型的数据库。如果未直接绑定到Active Directory，LDAP / x500或Novell eDirectory等网络目录服务提供商，则需要后端数据库。在Internet上，大多数网站都使用这种数据库驱动的系统，而不使用目录服务提供商。下面讨论了一个完整的网站认证和授权系统，该系统将使用数据库而不与网络目录服务提供商集成。

一般注意事项 (General Considerations)

假设登录系统将由数据库支持，则网站所有者或开发人员将需要执行许多任务才能进行网站登录。需要建立用户数据库并分配密码。将需要一种删除或锁定用户帐户的方法。用户将不可避免地忘记其用户名或密码，或者想要更改其密码的能力，所有这些都增加了额外的管理开销。所有这些信息都必须以安全的方式传达给用户，并且普通电子邮件也不安全。给定一个拥有许多用户的热门网站，这些功能可能会占用网站站长大量时间。

Any popular site, be it a social networking site or just a forum has not just a login page but a "Login System" consisting of many pages with various functions.

任何流行的网站，无论是社交网站还是论坛，都不仅具有登录页面，而且具有包含许多具有各种功能的页面的“登录系统”。

Commonly one would find a

通常人们会发现一个

Registration page,

注册页面

Registration Verification page, (more about this later,)

注册验证页面，（稍后将对此进行详细介绍）

A Cancel Registration page, (optional,)

取消注册页面，（可选）

The Login page,

登录页面，

A Log out page,

登出页面，

A Recover Password page,

“恢复密码”页面，

A Change Password page,

更改密码页面，

A Cancel Account page, and

取消帐户页面，以及

A few others pages to support those listed.

其他几页支持列出的内容。

还有另一个认证系统？ -一些背景 (Yet Another Authentication System? -- Some Background)

当您还是个孩子时，您可能有一个树屋，或者一群朋友开了一个俱乐部。您将同意一种代码或确认您的会员资格的特殊方式。之所以有效，是因为您与“俱乐部”的其他成员有直接联系，并且可以毫不费力地分享秘密。

This ability to share a secret became more and more difficult over the years. Many "secret" code systems were developed by military commanders since ancient times and many times those systems failed or were compromised by the enemy. A famous example was the breaking of the Enigma code system by Allied forces during World War II.

这些年来，共享秘密的能力变得越来越困难。自古以来，军事指挥官开发了许多“秘密”密码系统，而这些系统很多时候都失败了或被敌人攻陷了。一个著名的例子是第二次世界大战期间盟军破坏了Enigma代码系统。

In the early 70's a group of computer scientists recognized that in the emerging digital world it was going to be even more difficult to keep secrets as there would be no reliable way to share a secret code. These men, Ron Rivest, Adi Shamir, and Len Adleman pioneered many cryptographic functions we now take for granted. RC4 and MD5 are two cryptographic algorithms still in use today. (They went on to found RSA security which is their initials)

在70年代初期，一群计算机科学家认识到，在新兴的数字世界中，保守秘密将变得更加困难，因为没有可靠的方法来共享秘密代码。这些人Ron Rivest ， Adi Shamir和Len Adleman率先开发了许多现在我们认为理所当然的加密功能。 RC4和MD5是当今仍在使用的两种加密算法。（他们继续发现RSA安全性是他们的名字缩写）

Two important keys to the success of their works were:

1. The first (known) method of a cryptographic method using a public and private key such that a person could create a secret message using the private key and a person possessing the public key could decrypt the secret message. Brute forcing the message was computationally infeasible, and if the public key was published you had non-repudiation. You could prove the only person who created the message possessed the private key; ergo 1.使用公钥和私钥的加密方法的第一种（已知）方法，这样，一个人可以使用私钥创建秘密消息，而拥有公钥的人可以解密该秘密消息。蛮力强制该消息在计算上是不可行的，并且如果公开密钥已发布，则您不可否认。您可以证明创建消息的唯一人员拥有私钥； ergo S/MIME.S / MIME 。

2. More important here, was that they published the method of encryption for all to see. As a result, many mathematicians and cryptographers had the opportunity to scrutinize the work and discover early on any flaws. 2.此处更重要的是，他们发布了加密方法，供所有人查看。结果，许多数学家和密码学家有机会对这些工作进行审查，并尽早发现任何缺陷。

Given the argument that a just a login page is not sufficient for a web site, and having examined many examples of "Login System" tutorials which exist on the web; those were generally found to have unaddressed, known security flaws, (XSS, CSRF, and SQL injection to name a few). As a result, a group of expert contributors from Experts Exchange began an open source Web Login Project to provide essentially a plug-and-play solution for web developers.

考虑到仅有一个登录页面不足以构成一个网站的论点，并且已经研究了网络上存在的许多“登录系统”教程的示例；通常发现这些漏洞具有未解决的已知安全漏洞（例如XSS ， CSRF和SQL注入）。结果，来自Experts Exchange的一组专家撰稿人开始了一个开放源代码的Web登录项目，旨在为Web开发人员提供即插即用的解决方案。

It was troubling to the experts involved that the same or similar vulnerabilities plague websites, and have done so for many years. Among other security organizations, the OWASP publishes as Top Ten list of web vulnerabilities, found here: OWASP_Top_Ten_Project. Just as it is ill-advised for a developer to create their own cryptographic software without being an expert in the field of cryptanalysis and having their work examined by many other experts to ensure it is viable and safe, it is safe to draw a similar parallel, and say that a web-based authentication system should be produced by people with a demonstrated expertise in web development and should have been vetted by many other web developers to ensure the code is robust and correct. With that in mind, the primary goals of the Web Login Project focused on three areas:

困扰专家的是，相同或相似的漏洞困扰着网站，并且已经困扰了很多年。在其他安全组织中，OWASP作为十大Web漏洞列表发布，可在以下位置找到： OWASP_Top_Ten_Project 。正如不建议开发人员在没有密码分析专家的情况下创建自己的密码软件，并让其他专家对其工作进行检查以确保它的可行性和安全性一样，画一个类似的平行图也很安全。，并说基于Web的身份验证系统应该由在Web开发方面具有丰富经验的人员生产，并且应该已经由许多其他Web开发人员进行了审查，以确保代码健壮和正确。考虑到这一点，Web登录项目的主要目标集中在三个领域：

2. Provide a means for web developers to chose which functions of the Login System they wish to implement, and

2.为Web开发人员提供一种选择他们希望实现的登录系统功能的方法，以及

3. Provide a project home where bugs, security vulnerabilities and feature enhancements may be tracked

3.提供一个项目主页，可以在其中跟踪错误，安全漏洞和功能增强

Of the three, the last one is the most important. No matter how many people may have been involved in the creation of the code, bugs and security vulnerabilities can be overlooked. Yet unknown vulnerabilities can be discovered in the future. Having a project home where these issues can be tracked and corrected is paramount in achieving the goal of providing robust and secure code, and ensuring it continues to remain that way.

在这三个中，最后一个是最重要的。无论有多少人参与代码的创建，错误和安全漏洞都可以忽略。但是，将来可能会发现未知的漏洞。拥有一个可以跟踪和纠正这些问题的项目主页对于实现提供健壮和安全的代码并确保其继续保持这种状态至关重要。

As the project was conceptualized, some additional benefits were added to the design. Since the Login System must be flexible enough to be used in nearly any web site, it was designed to:

随着项目的概念化，设计还增加了一些其他好处。由于登录系统必须足够灵活才能在几乎所有网站中使用，因此它旨在：

Be easy to incorporate in an existing website and be styled to take on the correct look and feel of the site (probably via CSS), and

易于整合到现有网站中，并可以使其具有正确的网站外观和风格（可能通过CSS），并且

Provide a centralized configuration file which not only reduces the complications of implementing the Login System but which also provides the ability for the Login System to be internationalized by changing text and phrases used in those pages to languages other than US English.

提供集中的配置文件，该文件不仅可以减少实现登录系统的复杂性，而且还可以通过将那些页面中使用的文本和短语更改为美国英语以外的语言来使登录系统国际化。

For the impatient, I will save the Login System design details for a follow-up article and get to the point on how you can obtain and implement the Login System on your website or web application. The initial code is being offered in PHP and ASP and while deemed functional and safe, already has additional enhancements in the works. Versions in English, French, German, Swedish, Spanish and Vietnamese have been developed and translations to Danish and Hindi are underway. Versions of the Login System in other web development languages and frameworks are planned as well as having additional languages supported.

对于不耐烦的人，我将保存登录系统设计的详细信息，以作为后续文章，并重点说明如何在您的网站或Web应用程序上获取和实现登录系统。最初的代码在PHP和ASP中提供，并且虽然被认为是功能和安全的，但已经在工作中进行了其他增强。已经开发了英文，法文，德文，瑞典文，西班牙文和越南文版本，并正在翻译成丹麦文和印地文。还计划了其他Web开发语言和框架中的登录系统版本，并支持其他语言。

The remainder of this article will discuss:

本文的其余部分将讨论：

2. How to protect individual pages from unauthorized access,

2.如何保护各个页面免遭未经授权的访问，

3. How to obtain the code for the Login System,

3.如何获取登录系统的代码，

4. How to set up the necessary back-end database, and

4.如何设置必要的后端数据库，以及

5. How to implement the pages you wish to include in your website.

5.如何实现您希望包含在网站中的页面。

1个 (1)

PrerequisitesIn that the current release is in ASP and PHP code, the website will need to support one of those server-side languages.

先决条件由于当前版本使用ASP和PHP代码，因此该网站将需要支持这些服务器端语言之一。

The web site will need a database to store user registration and authentication details as well as an optional logging table for auditing purposes. The initial code release supports:

该网站将需要一个数据库来存储用户注册和身份验证详细信息，以及一个可选的日志表以进行审核。初始代码版本支持：

MS Access on a Windows Server,

Windows Server上的MS Access，

MS SQL (including an express version, formerly MSDE), or

MS SQL（包括快速版本，以前称为MSDE），或

MySql.

MySQL的。

It is assumed the web site has the following pages:

假定该网站具有以下页面：

The home page

主页

A contact page, (for contacting the webmaster,)

联系人页面（用于联系网站管理员）

A page to direct unauthorized users, which we will refer to as the "Forbidden" page, and

引导未经授权的用户的页面，我们将其称为“禁止”页面，以及

A form error page (an example is supplied with the Login System code.)

表单错误页面（“登录系统”代码提供了一个示例。）

2 (2)

How to protect individual pages from unauthorized access.Due to the customizations possible and the ability to translate the Login System into various world languages, constant values are extensively used. This may appear confusing to some in the following code examples.

如何保护各个页面免遭未经授权的访问。

All pages to be protected need a small amount of code near the beginning of the page to check that the user is logged on and authorized to see the page.

所有要保护的页面在页面开头附近都需要少量代码，以检查用户是否已登录并有权查看该页面。

To protect an ASP page, the page would obviously need the extension of .asp and would contain the following code at the beginning of the page.

为了保护ASP页面 ，该页面显然需要扩展名为.asp，并且该页面的开头将包含以下代码。

<%
Option Explicit
Session.CodePage=65001
Response.Charset="UTF-8"
%>
<!--#include file="include/loginGlobals.asp"-->
<%
If NOT Session("login") ThenResponse.Redirect "http://" & lg_domain & lg_loginPath & lg_loginPage &_"?p=" & Request.ServerVariables("SCRIPT_NAME")
End If' Your page code here
%>

The Login System's global configuration (and language) file is included as it is needed by the code that follows to determine the domain of the website, the path to the login page and the name of the login page.

包含以下代码的登录系统的全局配置（和语言）文件将用于确定网站的域，登录页面的路径和登录页面的名称。

The code determines if the users is logged in, and if not, redirects the user to the login page. The protected (current) page is passed as a parameter so that if the user successfully authenticates he would be redirected back to this page.

该代码确定用户是否已登录，如果未登录，则将用户重定向到登录页面。受保护的（当前）页面作为参数传递，这样，如果用户成功进行身份验证，他将被重定向回该页面。

If the user is logged in, execution will continue with the code following the login check.

如果用户已登录，则登录检查后将继续执行代码。

To protect a PHP page it must have a .php extension and include the following code. As with the ASP example, we are explicitly setting our codepage to UTF-8, are including the Login System's global configuration file, and finally checking to see if the user is logged in.

要保护PHP页面，它必须具有.php扩展名并包含以下代码。与ASP示例一样，我们将代码页显式设置为UTF-8，包括Login System的全局配置文件，最后检查用户是否已登录。

<%
<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {session_start();
}
include "include/loginGlobals.php";if (!$_SESSION["login"]) {header("Location: https://" . lg_domain . lg_loginPath . lg_loginPage ."?p=" . $_SERVER["SCRIPT_NAME"]);
}' Your page code here
?>

3 (3)

How to obtain the code for the Login SystemThe official downloads of the latest version of the Login System code and supporting HTML or XHTML markup can be found under the downloads tab at the code project's home on Google Code, at http://code.google.com/p/loginsystem-rd/.

如何获取登录系统的代码可以在Google Code上代码项目主页的http：// code的下载选项卡下找到最新版本的Login System代码的正式下载，并支持HTML或XHTML标记。 google.com/p/l oginsystem -rd / 。

An example MS Access database file is available as are the SQL scripts needed to create either a MS SQL or MySql database.

提供了一个MS Access数据库文件示例，以及创建MS SQL或MySql数据库所需SQL脚本。

In addition to listing the project's initial contributors, the implementation page on the Wiki and the Issue Tracking tabs should be consulted for any pertinent details not included in this article.

除了列出项目的初始贡献者之外，还应查阅Wiki上的实施页面和“问题跟踪”选项卡，以获取本文中未包含的任何相关详细信息。

For example: if a Cold Fusion or .NET version is released, implementation details will most likely appear first on the project's Google Code home before this article is updated.

例如：如果发布了Cold Fusion或.NET版本，则在更新本文之前，实现细节很可能会首先出现在项目的Google Code主页上。

While the download packages may change in the future, a web developer will need to select for of the following downloads.

尽管下载包将来可能会更改，但Web开发人员将需要从以下下载中进行选择。

2. The corresponding HTML 4.01 Strict markup templates if their site does not uses XHTML,

2.如果相应HTML 4.01 Strict标记模板的网站未使用XHTML，则为相应模板，

3. A database file or SQL script for creating the necessary database.

3.用于创建所需数据库的数据库文件或SQL脚本。

4 (4)

How to set up the necessary back-end databaseThere are currently three supported database back ends for the Login System.

如何设置必要的后端数据库当前，登录系统支持三个数据库后端。

2. MS SQL Server (2000-2008 on Windows), and

2. MS SQL Server（在Windows上为2000-2008），以及

3. MySql (on any supported OS).

3. MySql（在任何受支持的操作系统上）。

The MS SQL Server and MySql databases are created by executing the supplied SQL scripts. If you do not know how to execute these scripts to create the necessary databases please post a question in the Miscellaneous Web Development, MS SQL or MySql zones at Experts Exchange. Note: You will want a separate account for the web user on those databases with Select, Update, Insert, and Delete permissions only. Do not run the Login System under an administrator's account.

通过执行提供SQL脚本来创建MS SQL Server和MySql数据库。如果您不知道如何执行这些脚本来创建必要的数据库，请在Experts Exchange的其他Web开发，MS SQL或MySql区域中发布问题。注意：您将需要为那些仅具有“选择”，“更新”，“插入”和“删除”权限的数据库上的Web用户提供单独的帐户。不要以管理员帐户运行“登录系统”。

5 (5)

How to implement the pages you wish to include in your website.It is suggested you add a directory under the web root called "login-system" and add a directory called "include" under the "login-system" directory. In fact, this is how the Login System files are packaged for delivery. As packaged, the files in the "login-system" directory are simply meant as examples. They include the bare minimum information for you to incorporate the Login System into your web pages and are intended to be replaced by your pages (with the necessary modifications to incorporate the Login System.)

如何实现您希望包含在网站中的页面。 建议您在Web根目录下添加一个名为“ login-system ”的目录，并在“ login-system”目录下添加一个名为“ include ”的目录。实际上，这就是登录系统文件打包交付的方式。打包后，“ login-system”目录中的文件仅作为示例。它们包括用于将登录系统合并到您的网页中的最低限度的最低信息，并打算用您的页面替换（进行必要的修改以合并登录系统。）

The files in the /login-system/include/ directory do all the work and should not be altered.

/ login-system / include /目录中的文件可以完成所有工作，因此不应更改。

Implementing the Login System in your web pages simply means you would include certain library files and (X)HTML markup in your pages to obtain the Login System functionality. It also means you would at a minimum include the META tag for UTF-8 support:

在网页中实现登录系统只是意味着您将在页面中包含某些库文件和（X）HTML标记以获得登录系统功能。这也意味着您至少要包括支持UTF-8的META标签：

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

An examination of the source code for the page shows (abbreviated) the following general markup structure. It is important to note the area above the top of the <!DOCTYPE...> declaration and the bolded area where the main content would appear.

检查页面的源代码将显示（缩写）以下常规标记结构。重要的是要注意<！DOCTYPE ...>声明上方的区域以及主要内容将出现的粗体区域。

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en"><head>
<title>HTML & DOM Tips And Tutorials</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head><body>
<div id="topmenu">...</div>
<div id="banner">...</div>
<div id="mainmenu">...</div>
<div id="middle"><div id="content"><div><a name="main_content">...</div></div> <!--content-->
</div> <!--nav--><div id="right">...</div>
</div> <!--middle--></body>
</html>

To make this a login page using the supplied Login System code would require some code be included in the page at these two locations. Above the <DOCTYPE...> we plug in the files which enable the login page functionality as well as setting the UTF-8 code page 65001. In the main content area we plug in the markup for the login form. That's it! You have a functional login page, e.g. Plug and Play.

要使用提供的登录系统代码将其设为登录页面，则需要在页面上的这两个位置包含一些代码。 在<DOCTYPE ...>上方，我们插入启用登录页面功能以及设置UTF-8代码页65001的文件。在主要内容区域中，我们插入登录表单的标记。

<?PHP
setlocale(LC_ALL, 'English_United States.65001');
if (!isset($_SESSION)) {session_start();
}include "include/generalPurpose.php";
include "include/form_token.php";
include "include/loginGlobals.php";
include "include/database.php";
include "include/login.php";
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en"> <head>
<title>HTML & DOM Tips And Tutorials</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head> <body>
<div id="topmenu">...</div>
<div id="banner">...</div>
<div id="mainmenu">...</div>
<div id="middle"> <div id="content"> <div><a name="main_content"><?PHP include "include/login-markup.php"; ?></div> </div> <!--content-->
</div> <!--nav--> <div id="right">...</div>
</div> <!--middle--> </body>
</html>

At the top of the page, generalPurpose.php, form_token.php, loginGlobals.php, and database.php are library files common to most of the Login System pages. The login.php page contains the code for the login page to function and the login-markup.php code contains the form.

在页面顶部，generalPurpose.php，form_token.php，loginGlobals.php和database.php是大多数“登录系统”页面共有的库文件。 login.php页面包含登录页面起作用的代码，login-markup.php代码包含表单。

<!-- XHTML 1.1 Strict -->
<!-- 19 APR 2010 alpha 0.1 -->
<div id="login-system">
...the form markup
</div>

All Login System markup looks similar to the above. There are two comments with the type of markup and the revision. The content is contained within division tags with the ID of "login-system." All items in the markup have the necessary IDs or other attachment hooks for CSS styling, allowing the markup to be styled as desired by the web developer implementing the login system. All pages in the Login System (but one) are the same. There is code to included above the <!DOCTYPE...> as well as a corresponding markup file to be included in the main content area. The logout page can be used as delivered as it is only momentarily executed before redirecting to the "logged out" page.

所有登录系统标记看起来都与上面相似。标记和修订的类型有两个。内容包含在ID为“ login-system”的分区标记中。标记中的所有项目都具有CSS样式所需的ID或其他附件钩子，从而允许实现登录系统的Web开发人员根据需要对标记进行样式设置。登录系统中的所有页面（但只有一个）是相同的。在<！DOCTYPE ...>上方包含代码，并且在主要内容区域包含相应的标记文件。登出页面可以按原样使用，因为它只是在重定向到“登出”页面之前暂时执行。

6 (6)

Global configurationThe loginGlobals.php page is the configuration file and holds the constants needed on each Login System page. Some important configuration details are:

全局配置 loginGlobals.php页面是配置文件，其中包含每个Login System页面上所需的常数。一些重要的配置详细信息是：

The domain, set in the constant

域，设置为常量

lg_domain (and lg_domain （和lg_domain_secure). The second constant is primarily intended for persons using a shared SSL certificate which may have a different domain name than the main site's domain. lg_domain_secure ）。第二个常量主要供使用共享SSL证书的人员使用，该SSL证书的域名可能与主站点的域不同。

The webmaster e-mail address, set in

网站管理员的电子邮件地址，设置为

lg_webmaster_email and lg_webmaster_email和lg_webmaster_email_link. lg_webmaster_email_link 。

The path to the Login System files. Usually you would leave that as "/login-system/" but an advanced user may wish to relocate those files.

登录系统文件的路径。通常，您将其保留为“ / login-system /”，但是高级用户可能希望重定位这些文件。

The full paths and names of the home page, the contact page, the

主页，联系页面，网站的完整路径和名称

form_error page and the form_error页面和forbidden page. These need not, and probably will not, be in the /login-system/ directory. 禁止页面。这些不需要也可能不在/ login-system /目录中。

Database configuration details, (host or path, database catalog, userid and password.) These are in the loginGlobals page for ASP code and in the database.php file for PHP code.

数据库配置详细信息（主机或路径，数据库目录，用户名和密码。）这些在ASP代码的loginGlobals页面中，在PHP代码的database.php文件中。

The settings for SSL, debugging, and logging logins. As delivered, the setting for

SSL，调试和日志登录的设置。交付时，

lg_useSSL, and lg_useSSL和lg_debug are set to false. Assuming you have an SSL certificate your would change lg_useSSL to true and leave lg_debug set to false. lg_debug set to true would reveal very sensitive data not for the public's viewing. It should only be enabled if your were asked to do so by an expert assisting you with a problem. lg_debug设置为false。假设您具有SSL证书，则可以将lg_useSSL更改为true，并将lg_debug设置为false。将lg_debug设置为true会显示非常敏感的数据，而不供公众查看。仅当专家协助您解决问题时，才应启用此功能。

Lastly,

最后，

lg_log_logins is set to true. This is important so you have an audit trail of activity (as well as the entries in the loginAttempts table.) It is suggested you leave that constant set to true. lg_log_logins设置为true。这一点很重要，因此您需要进行活动的审核跟踪（以及loginAttempts表中的条目。）建议您将该常数设置为true。

7 (7)

What is set by the Login System?Assuming a successful login, the session variables "login" is set to true, "userid" is set to the user's userid, and "name" is set to the user's name.

登录系统设置了什么？ 假设登录成功，则将会话变量“ login ”设置为true，将“ userid ”设置为用户的userid，将“ name ”设置为用户的名称。

Session("login") or $_SESSION["login"] is what you use to determine on protected pages if the user has already authenticated.

Session（“ login”）或$ _SESSION [“ login”]是用于在受保护页面上确定用户是否已通过身份验证的内容。

Session("userid") or $_SESSION["userid"] is for displaying content specific for that user. You would never display the userid on any web page in your site. T hat may allow a malicious user to attempt a brute force attack on that userid. Display the user's name, (Session("name") or $_SESSION["name"]) instead.

Session（“ userid”）或$ _SESSION [“ userid”]用于显示特定于该用户的内容。您将永远不会在您网站的任何网页上显示用户ID。这可能允许恶意用户对该用户标识进行暴力攻击。显示用户名（Session（“名称”）或$ _SESSION [“ name”]）。

If the user selected "Remember Me" from the login form, a permanent cookie called "login" is stored with that user's userid.

如果用户从登录表单中选择“记住我”，则将永久存储名为“ login”的cookie以及该用户的userid。

If you are using the ASP code, a cookie containing a cryptographic token (hash) is stored as part of an anti-Session Fixation method.

如果使用的是ASP代码，则将包含加密令牌（哈希）的cookie存储为反会话固定方法的一部分。

8 (8)

Where do I get the code?The Login System home is the Google Code repository located at:

我从哪里获得代码？ 登录系统主页是位于以下位置的Google Code存储库：

http://code.google.com/p/loginsystem-rd/ http://code.google.com/p/loginsystem-rd/

9 (9)

Where can I see the code in use?The Login System maintains a web host at http://www.webloginproject.com/ where you will find many demonstration sites.

在哪里可以看到正在使用的代码？ 登录系统在http://www.webloginproject.com/上维护一个Web主机，您可以在其中找到许多演示站点。

10 (10)

Where do I get help?

我在哪里可以得到帮助？

For help implementing the Login System or creating the database needed you should post a question at Experts Exchange in Miscellaneous Web Development, PHP or ASP, and/or the appropriate database forum. (You are allowed three topic areas for your question.)

为了帮助实现登录系统或创建所需的数据库，您应该在其他Web开发，PHP或ASP的Experts Exchange和/或适当的数据库论坛中发布问题。（您可以在三个主题区域中提出问题。）

11 (11)

I want to help.We want your help! If you can translate the Login System into another language, implement a version in another web development code, (Cold Fusion, VB.NET, C#.NET, Zend framework), please contact the author.

我想帮忙 如果您可以将登录系统翻译成另一种语言，请使用另一种Web开发代码（ColdFusion，VB.NET，C＃.NET，Zend框架）实现一个版本，请与作者联系。

12 (12)

Why should I use this Login System?It was developed by over 16 Experts with an average rank of Genius or above and a combined point total of over 59 million Expert Points. It is robust, secure and vetted code. It has been placed in the public domain and will continue to be developed not only by the original experts, but by other experts long after the original experts are gone.

为什么要使用此登录系统？ 它由超过16位平均天才或以上才能的专家开发，总得分超过5900万专家点。它是健壮，安全和经过审查的代码。它已被置于公共领域，并且不仅会由原始专家继续开发，而且会在原始专家离开后很长时间继续由其他专家开发。

13 (13)

What are the key features, design philosophy, and development requirements of the Login System?Read the next article:

登录系统的主要功能，设计理念和开发要求是什么？ 阅读下一篇文章：

The EE Collaborative Login System Part Two - Design ConsiderationsEE协作登录系统第二部分-设计注意事项

Contributors:

贡献者：

rdivilbiss Project Leadrdivilbiss项目负责人

Alphabetically

按字母顺序

b0lsc0ttb0lsc0tt jason1178杰森1178 jkrk kaushal考沙尔 lherrou勒鲁鲁 mark_willsmark_wills ModernMatt现代马特 mplungjanmplungjan mwvisa1mwvisa1 Netminder网民 Ray_Paseur雷·帕瑟 roonaan鲁南 RQuadlingRQuadling stone5150石头5150 sunnycoder Sunnycoder

翻译自: https://www.experts-exchange.com/articles/2902/A-Better-Website-Login-System-the-EE-Collaborative-Login-System.html

java ee 系统视频