Database in PHP for a more secure permanent login, remember my features

Source: Internet
Author: User
This article mainly introduces the database in PHP to achieve a more secure permanent login, remember my features, interested in the reference of friends, I hope to be helpful to everyone.

Permanent login refers to the mechanism of continuous validation between browser sessions. In other words, today's logged-on user is still logged on tomorrow, even if the user session between multiple accesses expires. The presence of a permanent login reduces the security of your authentication mechanism, but it increases usability. Instead of bothering the user for authentication every time they visit, it provides the option to remember the login.

According to my observation, the most common and flawed permanent login scheme is to keep the username and password in a cookie. The temptation to do this is understandable-you don't need to prompt the user for a user name and password, you simply read them from the cookie. The other parts of the verification process are exactly the same as normal logins, so this scenario is a simple scenario.

But if you do have a cookie in your username and password, turn it off immediately, and read the rest of this section to find some ideas for a more secure solution. You will also need to ask all users who use the cookie to change their passwords in the future, as their verification information is exposed.

Permanent login requires a permanent login cookie, often called a validation cookie, because cookies are the only standard mechanism used to provide stable data between multiple sessions. If the cookie provides permanent access, it poses a serious risk to the security of your app, so you need to make sure that the data you keep in the cookie can only be used for authentication for a limited period of time.

The first step is to design a method to mitigate the risk caused by the captured persistent login cookie. Although cookie capture is something you need to avoid, it is best to have a deep-guard process, especially since this mechanism reduces the security of the verification form even when everything is working properly. In this way, the cookie cannot be generated based on any information that provides a permanent login, such as a user password.

To avoid using a user's password, you can establish an identity that is valid only once for validation:

The code is as follows:

<?php$token = MD5 (Uniqid (rand (), TRUE)); >


You can save it in a user's session to associate it with a specific user, but this does not help you keep the login between multiple sessions, which is a major premise. Therefore, you must use a different method to associate this identity with a specific user.

Because the user name is less sensitive than the password, you can put it in a cookie, which can help the validator verify which user's identity is provided. However, a better approach is to use a second identity that is not easy to guess and discover. Consider adding three fields to the data table that holds the user name and password: second identity (identifier), permanent login identifier (token), and a permanent login timeout (timeout).

The code is as follows:

Mysql> DESCRIBE users;+------------+------------------+------+-----+---------+-------+| Field      | Type             | Null | Key | Default | Extra |+------------+------------------+------+-----+---------+-------+| Username   |-varchar |      | PRI |         | |       | Password   -varchar |      YES  |     | NULL    |       | | identifier | varchar |      YES  | MUL | NULL    |       | | token      | varchar |      YES  |     | NULL    |       | | timeout    | int (ten) unsigned | YES  |     | NULL    |       | +------------+------------------+------+-----+---------+-------+


By generating and saving a second ID and a permanent login ID, you can create a cookie that does not contain any user authentication information.

The code is as follows:

<?php$salt = ' Shiflett '; $identifier = MD5 ($salt. MD5 ($username. $salt)); $token = MD5 (Uniqid (rand (), TRUE)); $timeout = Time () + * * 7;setcookie (' auth ', "$identifier: $token", $timeout); >

When a user uses a permanent login cookie, you can check if it meets several criteria:

The code is as follows:

<?php/* mysql_connect () *//* mysql_select_db () */$clean = array (); $mysql = Array (); $now = time (); $salt = ' Shiflett '; Lis  T ($identifier, $token) = Explode (': ', $_cookie[' auth ')), if (Ctype_alnum ($identifier) && ctype_alnum ($token)) {  $clean [' identifier '] = $identifier; $clean [' token '] = $token;} else{/*/} $mysql [' identifier '] = mysql_real_escape_string ($clean [' identifier ']); $sql = "Select username, token, ti Meout from users WHERE identifier = ' {$mysql [' identifier ']} ' ", if ($result = mysql_query ($sql)) {if (mysq    L_num_rows ($result)) {$record = Mysql_fetch_assoc ($result); if ($clean [' token ']! = $record [' token ']) {/* Failed Login (wrong token) */} elseif ($now > $record [' Tim Eout ']) {/* Failed Login (Timeout) */} elseif ($clean [' identifier ']! = MD5 ($salt. MD5 ($record [ ' username '].    $salt)) {/* Failed login (invalid identifier) */} else {/* successful Login *}} else { /* Failed Login (Invalid identifier) */}}else{/* Error */}?> 

You should insist on restricting the use of permanent login cookies from three aspects.

1.Cookie needs to expire within a week (or less)
2.Cookie is best used only once for verification (delete or regenerate after a successful validation)
3. Limit cookies to expire within one week (or less) on the server side

If you want the user to be remembered without restriction, then simply regenerate the identity and set a new cookie after each validation, as long as the user's access to your app is greater than the expiration time.

Another useful principle is that users are required to provide a password before they can perform sensitive operations. You can only allow permanently logged-in users to access features that are not particularly sensitive in your app. It is an irreplaceable step to have the user manually authenticate before performing some sensitive operations.

Finally, you need to confirm that the user of the logout system is indeed logged out, which includes deleting the persistent login cookie:

The code is as follows:

<?phpsetcookie (' auth ', ' deleted! ', Time ());? >

In the above example, the cookie is populated with useless values and set to expire immediately. In this way, even if a user's clock is not allowed to keep the cookie valid, it will ensure that he exits effectively.

Summary : The above is the entire content of this article, I hope to be able to help you learn.

Related recommendations:

PHP through Ajax calls to connect Baidu effect to detect whether the site is connected to the function of

PHP traversal and lookup for strings

PHP interface implementation of two-dimensional code generation class

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.