aayushrai074/Secure-Student-Login-System-with-Security-Analysis

# 安全学生登录系统 一个研究原型，展示了多层身份验证安全控制，以保护学生信息系统免受常见的 Web 漏洞攻击（SQL injection、XSS、暴力破解、CSRF、session hijacking）。 **作者：** Aayush Kumar Rai **项目：** BSc (Hons) Computing – 毕业学年项目 **院校：** De Montfort University ## 目录 - [功能](#features) - [技术栈](#technology-stack) - [安装](#installation) - [数据库设置](#database-setup) - [使用](#usage) - [已实现的安全控制](#security-controls-implemented) - [测试](#testing) - [局限性](#limitations) - [未来工作](#future-work) - [许可证](#license) ## 功能 - **用户注册** – 强制要求邮箱、用户名和强密码。 - **安全登录** – 使用 bcrypt 进行密码验证并具有速率限制。 - **账户锁定** – 5 次登录失败将触发 15 分钟的锁定。 - **CSRF 防护** – 在所有表单中嵌入 Token。 - **安全会话** – HttpOnly 和 SameSite=Strict cookie 标志。 - **XSS 防护** – 使用 `htmlspecialchars()` 进行输入清理。 - **SQL 注入防护** – 通过 PDO 使用参数化查询。 - **审计日志** – 所有身份验证尝试（成功和失败）均会被记录。 ## 技术栈 - **后端：** PHP 8.2 - **数据库：** MySQL / MariaDB - **Web 服务器：** Apache (XAMPP) - **前端：** HTML5, CSS3 - **密码哈希：** bcrypt (cost factor 10) - **开发环境：** XAMPP 3.3+, VS Code ## 安装 ### 前置条件 - XAMPP（或任何 Apache + PHP + MySQL 套件） - PHP 8.2 或更高版本 - MySQL 5.7 或更高版本 - Git（可选） ### 步骤 1. **克隆仓库** `git clone https://github.com/yourusername/secure-student-login.git` 2. **移动到 XAMPP 的 htdocs 文件夹** - Windows（默认）：`C:\xampp\htdocs\secure-student-login` - Mac (MAMP)：`/Applications/MAMP/htdocs/secure-student-login` 3. **启动 XAMPP 服务** – Apache 和 MySQL。 4. **导入数据库**（参见 [数据库设置](#database-setup)）。 5. **访问应用** – 打开浏览器并访问： `http://localhost/secure-student-login/` ## 数据库设置 1. 在 `http://localhost/phpmyadmin` 打开 **phpMyAdmin**。 2. 创建一个名为 `secure_login_db` 的新数据库（排序规则：`utf8mb4_general_ci`）。 3. 运行以下 SQL 查询以创建所需的表： ``` -- Users table CREATE TABLE IF NOT EXISTS users ( id INT AUTO_INCREMENT PRIMARY KEY, email VARCHAR(255) UNIQUE NOT NULL, username VARCHAR(100) UNIQUE NOT NULL, password_hash VARCHAR(255) NOT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, last_login TIMESTAMP NULL, last_login_ip VARCHAR(45) NULL, failed_attempts INT DEFAULT 0, locked_until TIMESTAMP NULL, is_active BOOLEAN DEFAULT TRUE ); -- Authentication logs table CREATE TABLE IF NOT EXISTS auth_logs ( id INT AUTO_INCREMENT PRIMARY KEY, user_id INT NULL, attempt_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP, success_flag BOOLEAN NOT NULL, ip_address VARCHAR(45) NOT NULL, user_agent TEXT NULL, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL ); -- Password resets table (for future implementation) CREATE TABLE IF NOT EXISTS password_resets ( id INT AUTO_INCREMENT PRIMARY KEY, email VARCHAR(255) NOT NULL, token VARCHAR(255) NOT NULL, expires_at TIMESTAMP NOT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); Update the database connection in config/database.php with your credentials (default for XAMPP: username root, password empty). Usage Landing page – http://localhost/secure-student-login/ Provides an overview of the system and navigation to registration/login. Register – Create a new account. Password must be at least 8 characters with uppercase, lowercase, number, and special character. Login – After registration, log in with your credentials. After 5 failed attempts, the account is locked for 15 minutes. Dashboard – After successful login, you can see your profile, security badges, and recent authentication logs. Logout – Terminates the session and redirects to the login page. Security Controls Implemented bcrypt hashing – Passwords are hashed with a cost factor of 10, including a built‑in salt. Parameterized queries (PDO) – All database queries use prepared statements, eliminating SQL injection. Rate limiting – Maximum 5 failed login attempts; upon reaching the limit, the account is locked for 15 minutes. CSRF tokens – Every form contains a unique token; requests with missing or invalid tokens are rejected. Secure session cookies – Cookies are marked HttpOnly (prevents JavaScript access) and SameSite=Strict (prevents CSRF). Session regeneration – After a successful login, the session ID is regenerated to prevent session fixation. Input sanitization – User input is sanitised with htmlspecialchars() to prevent XSS. Audit logging – Every authentication attempt (successful or failed) is logged with user ID, timestamp, IP address, and user agent. Testing The system was tested with 22 manual test cases, covering: User registration (valid/invalid inputs, duplicate accounts) Secure login (correct/wrong passwords, account lockout) Session management (session cookie flags, logout, regeneration) CSRF protection (tampered token rejection) SQL injection prevention (payloads like ' OR '1'='1) XSS prevention ( rendered as plain text) All 22 tests passed successfully. Note: Automated scanning tools (OWASP ZAP, SQLMap) were not executed due to time constraints – listed as a limitation. Limitations Local testing only – The system has not been deployed to Azure or any live server. No HTTPS – Credentials and session cookies would be vulnerable on a live network. No two‑factor authentication (2FA) – Compared to related work (Ullah & Iqbal, 2022), this is a missing feature. No automated vulnerability scanning – OWASP ZAP, SQLMap, Burp Suite were not used. No usability testing with real students – The claim of educational suitability is unvalidated. No shoulder surfing protection – Credentials are entered directly (in contrast to Ranjan & Kumar, 2016). Future Work Deploy to Azure App Service (PHP 8.2 on Linux) with Azure Database for MySQL. Enable HTTPS with TLS 1.2+. Implement TOTP-based two‑factor authentication. Run automated scans using OWASP ZAP and SQLMap. Conduct usability testing with real students to measure satisfaction and performance. Add shoulder surfing protection (e.g., encoded credential entry). Implement continuous authentication using keystroke dynamics (Zamfiroiu et al., 2020). License This project is for academic purposes as part of a BSc final year project. You may use the code for reference or educational purposes. Contact Aayush Kumar Rai – p2837447@my365.dmu.ac.uk GitHub: https://github.com/aayushrai074 ```

标签：Apache, bcrypt, CISA项目, CSRF防御, CSS3, ffuf, HTML5, HttpOnly, MariaDB, OpenVAS, PHP, SameSite, SQL注入防御, Web安全, XAMPP, XSS防御, XXE攻击, 会话劫持防御, 会话管理, 参数化查询, 学生信息系统, 安全教育, 安全登录系统, 审计日志, 密码哈希, 暴力破解防御, 毕业设计, 蓝队分析, 账户锁定, 输入过滤