What is PHP's plan for determining user login status, efficiency and security?

I compare dishes, currently using the program is

1. Save the User ID and a password in the client-side cookies (rules only I know)
2. If the program detects the cookie ID saved by the client. Go to the database to verify the password, if it is consistent return the corresponding user's login information, otherwise return false

The sense of efficiency and safety is not very good

1. Users visit each page to verify with the database again
2. Password Although the rules are very complex, but the preservation of the client still has the possibility of being cracked

Reply content:

I compare dishes, currently using the program is

1. Save the User ID and a password in the client-side cookies (rules only I know)
2. If the program detects the cookie ID saved by the client. Go to the database to verify the password, if it is consistent return the corresponding user's login information, otherwise return false

The sense of efficiency and safety is not very good

1. Users visit each page to verify with the database again
2. Password Although the rules are very complex, but the preservation of the client still has the possibility of being cracked

"The user accesses each page to verify with the database again."

1, the browser URL to access the page resources,
2, check whether the session is logged in the status, such as "No" from 3 to continue, such as "Yes" to 5
3, obtain the cookie user identification information of the browser client, if there is user information, continue 4, such as "no" or do not conform to the established principles to 6
4, to determine whether the user identity is trustworthy, such as the encryption of the string decryption, take out the string ID and password and the database in the comparison of the information match, if the match to 5, if not match 6
5, verify the login status through
6, verify that the login status does not pass

How can you read the database so often?

Split Line

General General "Remember Login" method, you can combine the ID and password into a string and salt encryption to save to the browser client. Each time and server-side authentication, then decrypt the partition to get the ID and password against the database. Such security is still possible.

For example, this is a cookie stored in the client

$data      = $id. "\ T". MD5 ($password. $slat); $slat can be a hard-coded or randomly existing user-column value $identity  = Base64_encode (Encrypt ($data, $key)),//encrypt is a self-implementing cryptographic function or method, $key The value of the user column can be either hardcoded or randomly present Setcookie ("TestUser", $identity, Time () +3600);

For example, this is to take

if (Isset ($_cookie[' testuser ')) {    $identity = $_cookie[' testuser '];    List ($id, $password) = explode ("\ T", Decrypt (Base64_decode ($identity),  $key)),//decrypt is a self-implementing decryption function or method, $key Can be hard-compiled or randomly present the value of the user column        //todo  to the database column value    //...}

Save the user information to a cookie.
User information includes: Uid,username,email,password.
Where Email,password is reversible encryption.
Each time you log in, you only need to make a reversible encryption of cookies and compare them to your database once. Log in if they are equal, otherwise perform a normal logon operation.

===============

Ps

======================

It has always been a controversial point in the industry whether cookies can hold user information.
At present, my solution is:
Cookies are stored in the mailbox, QQ number, user password, user name and other information needs to be reversible encryption.
If you have user information:

Array ("UID" =>1, "username" = "b", "Password" = "1234567", "email" = "abc@abc.com");

Then, I will store the Uid,username,password,email and other information separately with the cookie, and will username,password,email through key (key can only know and set) for reversible encryption. Every time I need to operate, I just need to $_cookie[' password ' and then restore it to the original 1234567, and then query it for matching. If the query is the same, the cookie is considered valid and if it does not match, the cookie is deleted.

Then, there are two ways to query authentication after decryption:

1. Direct connection to the database for SQL queries, which is an inefficient way to consume performance.

Select Username,uid,password from xxxx where uid= ' xxxx ', username= ' xxxxx ' LIMIT 1;

This method does not operate once and requires a SQL query, which greatly increases the performance overhead.

2. Encrypt the information from the user's first login to the cookie, copy save one copy to memcached memory, and add the identity uid_status (can pick up) to 1 (login status), each user has a unique uid_status, and set to long-term effect.

The process of determining whether to log in is more efficient and faster.

After decrypting the information in the cookie, check the status of Uid_status, if it is 1, directly determine that the user is logged in, do not delete cookies information. If 0, non-login, the user information in the cookies and memcached will be matched. Matches include: Password,uid,username. If one of these is incorrect, delete the cookie and update the Uid_status status.

The above is I determine whether the user login process.

========

P.s

===========

discuz! Series is the use of cookies encrypted directly query the database for the effective evaluation of cookies.

The Uc_home core code is:

 Query ("SELECT * from". Tname (' Session '). " WHERE uid= ' $_sglobal[supe_uid] '); if ($member = $_sglobal[' db ']->fetch_array ($query)) {if ($member [' password '] = = $ Password) {$_sglobal[' supe_username '] = addslashes ($member [' username ']); $_sglobal[' session '] = $member;} else {$_ sglobal[' supe_uid '] = 0;}} else {$query = $_sglobal[' db ']->query ("select * from". Tname (' member '). " WHERE uid= ' $_sglobal[supe_uid] '); if ($member = $_sglobal[' db ']->fetch_array ($query)) {if ($member [' password '] = = $ Password) {$_sglobal[' supe_username '] = addslashes ($member [' username ']); $session = Array (' uid ' = = $_sglobal[' Supe_ UID '], ' username ' = ' $_sglobal[' supe_username '], ' password ' and $password); Include_once (S_root. /source/function_space.php '); insertsession ($session);//login} else {$_sglobal[' supe_uid '] = 0;}} else {$_sglobal[' supe_uid '] = 0;}}} if (Empty ($_sglobal[' Supe_uid ')) {ClearCookie ();} else {$_sglobal[' username '] = $member [' username '];if ($_sglobal[') Connect ']) {Cloud_token ();}}}? >

How can I save a password in a cookie?

Your approach is ready, but there are a few suggestions:
1. The client can save two kinds of data, one is the original data (such as user_id), one is the signature of all the original data (what you say add password)
2. The preservation of the original data can be seen in specific cases to save the original string or the reversible encryption algorithm after the encrypted string
3. The algorithm for the signature of all the original data, preferably irreversible
4. The server side only obtains the original data, recalculates the signature, for example and the cookie the signature is consistent.

The simplest cookie looks like:
A=uid=123&sign=xxxxxxxx

Cookie Generation Method:
Sign = MD5 (Secure_key + UID);
Cookie = ' uid= ' + uid + ' &sign= ' + sign
Secure_key is a private string, no one can tell OH.

How to check cookies:
After obtaining the UID and sign
Sign = = MD5 (Secure_key + UID)

Of course, if you feel that MD5 is unreliable, you can choose a better algorithm.

Generally this is not with the $_session variable, cookies must not save the password amount. I generally use this, with $_session to save the login status, with $_cookies to save a user ID or something.

Just store the UID line in the session?

Each page determines if a UID exists, and the UID is added to the session only on the login page, and the session is emptied when it is logged out.

