App and PHP background interface login authentication, authentication (seesion and token)

Source: Internet
Author: User

briefly : with the continuous development of e-commerce, the app is also not poor, with the development of science and technology main Login form (, QQ, account/password); To share the "app and PHP background interface login authentication, authentication" ideas and practices Hope to help the confused partners, if there is no wrong or good advice to inform; *~*!

First, login mechanism

Rough Analysis: Login can be divided into three stages (login verification, login persistent, logout login); Login verification means the client provides the account/password (or third party platform (, QQ) get Openid/unionid) to the server to make a login request, the server answers the request to determine whether to log in and return the corresponding data The login continues to refer to the server that the server is able to identify the client that is logged on and which continues to provide logon rights after the client logs on. Exit login means the client exits the logon state. scenario, after the client login is successful, the server assigns Seesionid and tokens to the client, each time the clients request the resources with SessionID and token verification, when the SessionID fails with token regain SessionID to obtain the corresponding resources;

(Simple illustration)

1.1 Login Status Seesionid

Login status refers to the client login situation (login, not logged in); The simple login process is as follows:

    • The client initiates a logon request (without transmitting the user name and password) to the server for the first time.
    • The server uses the RSA algorithm to generate a pair of public and private keys. The private key is reserved and the public key is sent to the client.
    • After the client receives the public key, it encrypts the user's password and initiates a second logon request (transfer user name and encrypted password) to the server.
    • The server decrypts the ciphertext using the reserved private key to obtain a true password.

After the login is successful, the server assigns an ID in session to record the client access status;

1.2 Authentication Token

Token is the tokens, the biggest feature is randomness, unpredictable; from the above process, it is known that a single sessionid to determine the user's login status and identity is not desirable, for this requires token for identity review, and token survival time should be longer than SessionID , because SessionID once effective, you can use token to maintain login status;

Second, the user login

2.1 Login Verification

App Login method as mentioned in the beginning, the mainstream three kinds:, QQ, account/password; The first verification is the matching of data; Matching successful server returns unique SessionID and tokens to prevent disclosure of user information; During this period, it is recommended that token survive longer than SessionID ; Because once the sessionid is effective, the login status can be maintained by token;

2.2 Login continued

SessionID Record the client login status, saved in the server session, it can be imagined that when the session passed the survival time will be invalidated, through token re-acquisition of SessionID, to ensure the continuation of login status;

2.3 Sign Out

SessionID write-off;

Non-moving Peaks

Source: http://www.cnblogs.com/mylly/

All rights reserved, welcome to keep the original link to reprint:)

App and PHP background interface login authentication, authentication (seesion and token)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.