"Determine user Login" is this the correct process for judging php? Querying data inventory cookies every time

Last Update:2016-06-23 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

I'll do it myself. PHP Determines whether a user is logged in:

Process
1 First determine if there is no cookie (' uid ') && cookie (' uid ') if no bounce detection
2 If there is, the connection database queries the record for that UID, and if not changed, jumps out of loop detection and logs off all user cookies
3 If there is, detect the cookie (' upwd ') = = MD5 ($rs [Pwd].cookie (' salt ')), if not equal, prompt password change requires re-login
4 if equal, detection cookie (' email ') = = MD5 ($rs [email]), if not equal, prompt mailbox changes, need to log back in
5 if equal = = is correct, the user is the currently logged on user.

But!
Problem
1 each time to connect the database, reduce database query is the key to user optimization, if every time to go to the database query, really will affect performance.
2 How to optimize the best, this login to determine whether the process is wrong.

"Another way of thinking."
1 store to session, save $uid, $uname, $lastactive (last response time) to session.
2 If there is a session (' UID ') && session (' uname ') to detect time ()-$lastactive > 3600, then connect to the database query (as above the cookie judgment), Otherwise direct use (Session storage location php.ini default configuration location)

Problem
1 if it is stored in the session, is it affected by high concurrency?

Reply to discussion (solution)

When using the second scenario, you are concerned about high concurrency.
So does the first scenario take the case of high concurrency?

In your first scenario, the user's password and email are placed in a cookie, which is always running around the network, do you think it's safe?

The database should be generalized
Although file system-based relational databases (SQL) may be slightly slower, they all provide memory-based memory tables
Besides, the database has another branch: memory-based NoSQL
So the extra overhead of database queries can be negligible

The process for determining whether a user is logged in is:
If the cookie (' uid ') does not exist, the Goto requires login processing
Otherwise, query the database to check if the UID was last logged in the same location as this time:
The same confirms
Different to send a prompt, conditional forwarding request login Processing

The MySQL database is queried every time. According to the login address, it is generally IP.

Check the user source to prevent CSRF attacks
Usually only on the page with the Write action

That's what I'm doing.
1. The user login, connect the database to determine whether the success, such as the success of the user ID, user name, etc. need to use the information of judgment, write session and Cookies,cookies set a time (such as 1 days to the week, this login to the user to choose), in addition, I make a json_encode of the data stored in the cookies, and then encrypt the processing.
For example {"UID": 1, "username": "Fdipzone"} is encrypted into a reversible string.

2. When the user visits, there are several situations
1. Determine if the session exists
2. Determine if the session exists-------------------to determine whether the cookie is successful
3. Determine if the session exists--------------------------to determine if the cookie is successful.
4. Determine if the session exists--------to determine if the cookie exists----Skip to the login page

Your process seems to have not queried the database, very economical, but there is a vulnerability problem:
1 if the account is logged in at 11, the 12-point account is stolen and the password is modified. But he can also continue to use the account, with the thief who used to work together
2 Assume that the user password has been modified, but he did not exit and re-login can continue to use the account
3 more critical is not controllable, assuming that the user logged in at 11 points, 12 admin blocked his account, but he can still continue to use, unless he quit logging back in again.

I judged the part of Closeuser to be done after login. Because if the previous steps are unsuccessful, you do not need to call Closeuser to judge.

Yes, there is a missing position, when the session expires, and then the cookie is written to the session. I will log the time of this operation into DB as the user's last online time. When judging the last online time more than now for more than 10 minutes, I will check the Closeuser table once to determine if it is blocked. If it is blocked, jump to the corresponding information prompt page. is to check the DB once every 10 minutes.
Determine if a session exists-------------

Then, every 10 minutes, check once

1th, in fact, if the user in the Internet cafes or other areas of the login forgot to quit, then others use the Internet device can operate his account content, even if the user back home to change the password will not help, unless there exit to log back (including shutdown/restart/completely close the browser process).

If you use the session to store information, when you close the browser (including forcing the browser to close the process), then the session will expire

Correct it, please.
When the session expires, the cookie is written to the session. In this location, the database is checked to see if the user is banned from logging in.
The session has its own expiration time, so every time the database check interval is the session life cycle.

Determine if a session exists-------------- Write cookies to session-> through

Determine if a session exists---------------------- Jump to notification page

If you use the session to store information, when you close the browser (including forcing the browser to close the process), then the session will expire

Yes, then we will execute the event of judging the cookies.

If so, it seems that there is no longer a session.
However, it is really amazing to close the browser and expire the session.

Sessions are session processes, and it is normal for the session to close to disappear.
The session is also a cookie, but the survival time is relatively short, but compared to the direct use of cookies more secure, the client only saves a SessionID cookie value, the other content is saved on the server, The contents of the session are read by SessionID when the user browses.

Localstorage and Sessionstorage similar to HTML5

If the user has been working on the page that session set the timeout period, the time will expire?



This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

"Determine user Login" is this the correct process for judging php? Querying data inventory cookies every time

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support