A complete and secure PHP user logon system

When using PHP programming, I have a habit of using off-the-shelf library files, such as PHPLib or other similar libraries. in this system, I also plan to write a library file by myself. it needs to handle authentication, confirmation email, and account updating (password, email. To keep programming in PHP, I have a habit of using off-the-shelf library files, such as PHPLib or other similar libraries. in this system, I also plan to write a library file by myself. it needs to handle authentication, confirmation email, and account updating (password, email.

To ensure the security of the system, it does not burden my existing database. Therefore, this new system depends on cookies. this is indeed a dilemma, because it is not safe to set a cookie for a user name, which does not work, but from the burden of the database, I cannot add a simple unordered code and submit it to my database for verification.

The solution is to set two cookies at the same time. one is the cookie of the user name and the other is the cookie of the unordered code. this unordered code is actually generated by a combination of the user name and a Super Password (only known to the program designer) through md5 () function. Because md5 () is a one-way unordered code, it cannot be cracked. When the user changes the email, I can also use this email and the Super Password to generate an unordered code so that the user can confirm the modification. This is actually a public/private key system. Do not understand? It doesn't matter. let's explain it later.

Interestingly, the scalability of this system can be infinite, because the main task of this system is to calculate the md5 () function value, which is completed by the web server. when the load increases, you can add other servers to share the load. Although the authentication system will not drag across one database, this will make the final bottleneck only appear in the database.

The following are two functions in the database: the Mark generation function and the Mark authentication function.

<? Php

$ Hidden_hash_var = 'Your _ secret_password_here ';

$ LOGGED_IN = false;
　　　
Unset ($ LOGGED_IN );

Function user_isloggedin (){
　　　
Global $ user_name, $ id_hash, $ hidden_hash_var, $ LOGGED_IN;
　
File: // Has the unordered code been detected?

File: // If yes, the variable is returned.

If (isset ($ LOGGED_IN )){

Return $ LOGGED_IN;

}

File: // are both cookies present?

If ($ user_name & $ id_hash ){

/*
　
The user name and System Super Password in cookies generate an unordered authentication code. if the unordered code is the same as the unordered code in the cookie, the variables in the cookies are trusted and the user has logged on

*/

$ Hash = md5 ($ user_name. $ hidden_hash_var );

If ($ hash = $ id_hash ){

File: // The unordered code matches. set a global variable so that when we call this function again,

File: // You do not need to perform the md5 () operation again.

$ LOGGED_IN = true;

Return true;

} Else {

File: // The two unordered codes do not match and are not logged on

$ LOGGED_IN = false;

Return false;

}

} Else {

$ LOGGED_IN = false;

Return false;

}

}

Function user_set_tokens ($ user_name_in ){

/*

This function is called once the user name and password are verified.

*/

Global $ hidden_hash_var, $ user_name, $ id_hash;

If (! $ User_name_in ){

$ Feedback. = 'Error-User Name Missing When Setting tokens ';

Return false;

}

$ User_name = strtolower ($ user_name_in );

File: // Create an unordered code using the user name and Super Password to determine whether the user has logged on

$ Id_hash = md5 ($ user_name. $ hidden_hash_var );

File: // Set the cookie validity period to one month, which can be set to any value.

Setcookie ('User _ name', $ user_name, (time () + 2592000), '/', '', 0 );

Setcookie ('id _ hash', $ id_hash, (time () + 2592000), '/', ', 0 );

}

?>