If the current website is successfully logged on, two variables will be stored in the session: userid and username. For some special reasons, the project requires that the user password be verified on each page, so how can we make a comparison? I found that this user can obtain the password in the database, but there is no password in the session. How can I perform comparative verification?
I think we should store the password information in the session, but how can we ensure security? The description is confusing. Sorry.
Reply content:Based on your search experience, it is not advisable to store the password in the session after the user logs on. I also agree with this opinion.
If the current website is successfully logged on, two variables will be stored in the session: userid and username. For some special reasons, the project requires that the user password be verified on each page, so how can we make a comparison? I found that this user can obtain the password in the database, but there is no password in the session. How can I perform comparative verification?
I think we should store the password information in the session, but how can we ensure security? The description is confusing. Sorry.
A random token is generated and stored in the session and database. The token is used for comparison and verification.
The token is updated every other time.
Different users will be assigned different sessionids when accessing the website. When the browser is closed, different sessionids will be assigned when the browser is opened again. The SESSION is related to the user. By speaking, you only need to verify whether the userid in the SESSION exists. SESSION ['userid'] indicates an experienced user. Because the userid is written into the SESSION only after the verification is passed.
The password must be entered again only when necessary operations are required. The SESSION is not stored, so it does not need to be stored, rather than being queried and compared in the database every time.
I have to say that you have a wonderful demand.
What should I do if I need to verify the user password on every page? HTTP is a stateless protocol that cannot maintain the state between transactions (when the same user accesses two pages, it is considered unrelated ).
Cookies (clients) and sessions (servers) are mainly used to solve the association between such transactions, that is, sessions ".
Generally, when the user's password is verified on a page (such as the login page), the "verified" Session will be told, and the "verified" can be determined on other pages.
So you said, "for some special reasons, each page is required to verify the user password once." I don't know why? If it is convenient, can you disclose it? Or to improve your needs?
// After login, $ _ SESSION ['user'] ['islogin'] = 1; $ _ SESSION = ['user' => ['userid' => 1003, 'username' => 'brucelee ', 'islogin' => 1 // 1 indicates that the password has been verified and logged in; 0 indicates that the password has not been logged in.], 'others '=> [...]; // other page if ($ _ SESSION ['user'] ['islogin']) {// do something ...} else {// go login ...}Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
