What is the efficiency and security solution for PHP to determine the user login status?

I am comparing dishes. The current solution is 1. Save the user ID and a password in the COOKIES on the client (only I know the Rules) 2. If the program detects the COOKIESID saved on the client. Verify and add a password to the database. If the password is the same, the login information of the corresponding user will be returned. Otherwise, the system will return "FAL...". The current solution is:

1. Save the user ID and password in the COOKIES on the client (only I know the Rules)
2. If the program detects the cookie ID stored on the client. Verify and add a password to the database. If the password is the same, the logon information of the corresponding user is returned. Otherwise, FALSE is returned.

I feel that efficiency and security are not very good.

1. Verify the access to each page with the database
2. Although the rules for adding passwords are complex, there is still a possibility of password cracking stored on the client.

Reply content:

I am comparing dishes. The current solution is

1. Save the user ID and password in the COOKIES on the client (only I know the Rules)
2. If the program detects the cookie ID stored on the client. Verify and add a password to the database. If the password is the same, the logon information of the corresponding user is returned. Otherwise, FALSE is returned.

I feel that efficiency and security are not very good.

1. Verify the access to each page with the database
2. Although the rules for adding passwords are complex, there is still a possibility of password cracking stored on the client.

"The user needs to verify the access to every page with the database." How can this happen?

1. the browser URL accesses page resources,
2. Check whether the SESSION record the logon status. For example, "no" continues from 3. For example, "yes" goes to 5.
3. Obtain the COOKIE user identification information of the browser client. If the user information exists, continue with 4. If "no" or does not comply with the established principles, go to 6.
4. Determine whether the user id is trusted. For example, decrypt the encrypted string, retrieve the id and password in the string, and compare them with the information in the database. If they match, the value is 5. If they do not match, the value is 6.
5. Verify that the logon status has passed
6. Verify that the logon status does not pass

In this case, how can we always read the database?

Split line

Generally, the "Remember to log on" method combines the ID and password into a string and then encrypts the salt and saves it to the browser client. Each time it is verified with the server, it is decrypted and separated to obtain the ID and password for comparison with the database. Such security is acceptable.

For example, the COOKIE is stored on the client.

$ Data = $ id. "\ t ". md5 ($ password. $ slat); // $ slat can be a hard-coded or random user column value $ identity = base64_encode (encrypt ($ data, $ key )); // encrypt is a self-implemented encryption function or method. $ key can be hard-coded or randomly stored in the user column value setcookie ("testuser", $ identity, time () + 3600 );

For example

If (isset ($ _ COOKIE ['testuser']) {$ identity = $ _ COOKIE ['testuser']; list ($ id, $ password) = explode ("\ t", decrypt (base64_decode ($ identity), $ key); // decrypt is a self-implemented decryption function or method, $ key can be hard-coded or randomly Stored User column values. // todo compares with database column values //...}

Saves user information to COOKIES.
User information includes UID, USERNAME, EMAIL, and PASSWORD.
EMAIL and PASSWORD are reversible encryption.
Each login only requires one reversible encryption of COOKIES and one comparison with your database. If they are the same, you will be logged on. Otherwise, you will be logged on normally.

====================

PS

======================================

Whether cookies can store user information remains controversial in the industry.
Currently, my solution is:
Information such as email, QQ number, user password, and user name stored in cookies must be reversible encrypted.
If user information exists:

array("uid"=>1,"username"=>"b","password"=>"1234567","email"=>"abc@abc.com");

Then, I store uid, username, password, email and other information in cookies separately, and perform Reversible Encryption by using the key (the key can only be known and set by myself. For each operation, I only need $ _ COOKIE ['Password'] to decrypt it and restore it to the original 1234567, and then query and match it. If the query is the same, the cookie is valid. If the query does not match, the cookie is deleted.

There are two methods to query and authenticate after decryption:

1. directly connect to the database for SQL query, which is an inefficient way to consume performance.

select username,uid,password from xxxx where uid='xxxx',username='xxxxx' LIMIT 1;

This method does not require one SQL query at a time, which greatly increases the performance overhead.

2. encrypt the information obtained from the user's first logon and save it to cookies. copy the information to the memcached memory and add the uid_status (which can be obtained by yourself) to 1 (logon status ), each user has a unique uid_status and is set to always valid.

The process of determining whether to log on is more efficient and fast.

After decrypting the information in cookies, check the uid_status status. If the value is 1, the user is deemed to be logged on and the cookie information is not deleted. If the value is 0, the user information in cookies and memcached is matched. Matching includes password, uid, and username. If one of them is incorrect, the cookies are deleted and the uid_status status is updated.

The above is the process for determining whether a user is logged on.

==========

P.S

==============

DISCUZ! The series uses cookies to encrypt and directly query the database for effective judgment of cookies.

The core code of uc_home is:

 Query ("SELECT * FROM ". tname ('session '). "WHERE uid = '$ _ SGLOBAL [supe_uid]'"); if ($ member = $ _ SGLOBAL ['db']-> fetch_array ($ query )) {if ($ member ['Password'] = $ password) {$ _ SGLOBAL ['supe _ username'] = addslashes ($ member ['username']); $ _ SGLOBAL ['session'] = $ member;} else {$ _ SGLOBAL ['supe _ uid'] = 0 ;}} else {$ query = $ _ SGLOBAL ['db']-> query ("SELECT * FROM ". tname ('Member '). "WHERE uid = '$ _ SGLOBAL [supe_uid]'") ; If ($ member = $ _ SGLOBAL ['db']-> fetch_array ($ query) {if ($ member ['Password'] = $ password) {$ _ SGLOBAL ['supe _ username'] = addslashes ($ member ['username']); $ session = array ('uid' =>$ _ SGLOBAL ['supe _ uid'], 'username' =>$ _ SGLOBAL ['supe _ username'], 'Password' => $ password); include_once (S_ROOT. '. /source/function_space.php '); insertsession ($ session); // login} else {$ _ SGLOBAL ['supe _ uid'] = 0;} else {$ _ SGLOBAL [ 'Supe _ uid'] = 0 ;}}} if (empty ($ _ SGLOBAL ['supe _ uid']) {clearcookie ();} else {$ _ SGLOBAL ['username'] = $ member ['username']; if ($ _ SGLOBAL ['connection']) {cloud_token () ;}}}?>

How can I save my password in cookies?

Your practice is acceptable, but there are several suggestions as follows:
1. The client can save two types of data, one is the original data (such as user_id), and the other is the signature of all the original data (you can add a password)
2. You can save the original data to view the actual situation and save the original string or the string encrypted by the reversible encryption algorithm.
3. Algorithms for signing all original data, preferably irreversible
4. The server only needs to obtain the original data and recalculate the signature, for example, whether the signature in the cookie is consistent.

The simplest cookie:
A = uid = 123 & sign = xxxxxxxx

Cookie generation method:
Sign = md5 (secure_key + uid );
Cookie = 'uid = '+ uid +' & sign = '+ sign
Secure_key is a private string and no one can tell.

Cookie verification method:
After obtaining uid and sign
Sign = md5 (secure_key + uid)

Of course, if you think md5 is not reliable, you can choose a better algorithm.

Generally, the $ _ SESSION variable is not used. Therefore, COOKIES cannot store the password. I usually use this method.$ _ SESSIONSave the logon status.$ _ COOKIESSave a user ID or something.

Can I only store UID rows in the session?

Determine whether a UID exists on each page. The UID is added to the session only on the logon page, and is cleared when the session is logged out.