PHP permanent login, Remember Me Function implementation methods and security practices _ PHP Tutorial

PHP permanent login, remember my function implementation methods and security practices. PHP permanent login, Remember Me Function implementation and security practices PHP permanent login, Remember Me Function implementation methods and security practices this article mainly introduces PHP permanent login, remember me function PHP permanent login, Remember Me Function implementation methods and security practices

　PHP permanent login, Remember Me Function implementation methods and security practices

This article describes how to implement PHP permanent logon and remember me functions and security practices. This article focuses on how to use a database to implement safer permanent logon and remember me functions. For more information, see

Permanent logon refers to the mechanism for continuous verification between browser sessions. In other words, the logged-on user is still logged on tomorrow, even if the user session between multiple accesses expires. Permanent logon reduces the security of your authentication mechanism, but increases availability. Instead of requiring users to perform identity authentication each time they access, they provide the option to remember to log on.

As I have observed, the most common and flawed permanent login solution is to save the user name and password in a cookie. The temptation to do this is understandable-you do not need to prompt the user to enter the user name and password, you just need to simply read them from the cookie. The other part of the verification process is exactly the same as normal logon, so this solution is a simple solution.

However, if you actually store the user name and password in the cookie, immediately disable the function and read the remaining content of this section to find some ideas for implementing a safer solution. In the future, you need to ask all users who use the cookie to change their passwords because their authentication information has been exposed.

Permanent login requires a permanent login cookie, which is usually called a verification cookie because the cookie is the only standard mechanism used to provide stable data among multiple sessions. If the cookie provides permanent access, it will pose a serious risk to the security of your application, therefore, make sure that the data you save in the cookie can only be used for authentication within a limited period of time.

The first step is to design a method to mitigate the risk caused by the captured permanent login cookie. Although cookie capture is something you need to avoid, it is best to have an in-depth defense process, especially because this mechanism is even when everything is running normally, it also reduces the security of the authentication form. In this way, the cookie cannot be generated based on any information that provides permanent logon, such as the user password.

To avoid using the user's password, you can create a valid ID for one verification only:

The code is as follows:

　　

$ Token = md5 (uniqid (rand (), TRUE ));

?>

You can save it in a user's session to associate it with a specific user, but this does not help you maintain logon between multiple sessions, which is a big premise. Therefore, you must use a different method to associate this identifier with a specific user.

Because the user name is less sensitive than the password, you can store it in the cookie, which helps the verification program to determine which user ID is provided. However, a better way is to use a second identity that is difficult to guess and discover. Consider adding three fields to the data table that saves the user name and password: the second identity (identifier), the permanent login identity (token), and a permanent login timeout (timeout ).

The code is as follows:

Mysql> DESCRIBE users;

+ ------------ + ------------------ + ------ + ----- + --------- + ------- +

| Field | Type | Null | Key | Default | Extra |

+ ------------ + ------------------ + ------ + ----- + --------- + ------- +

| Username | varchar (25) | PRI |

| Password | varchar (32) | YES | NULL |

| Identifier | varchar (32) | YES | MUL | NULL |

| Token | varchar (32) | YES | NULL |

| Timeout | int (10) unsigned | YES | NULL |

+ ------------ + ------------------ + ------ + ----- + --------- + ------- +

By generating and saving a second identity and permanent logon identity, you can create a cookie that does not contain any user authentication information.

The code is as follows:

　　

$ Salt = 'shiflett ';

$ Identifier = md5 ($ salt. md5 ($ username. $ salt ));

$ Token = md5 (uniqid (rand (), TRUE ));

$ Timeout = time () + 60*60*24*7;

Setcookie ('auth', "$ identifier: $ token", $ timeout );

?>

When a user uses a permanent logon cookie, you can check whether the cookie meets the following criteria:

The code is as follows:

　　

/* Mysql_connect ()*/

/* Mysql_select_db ()*/

$ Clean = array ();

$ Mysql = array ();

$ Now = time ();

$ Salt = 'shiflett ';

List ($ identifier, $ token) = explode (':', $ _ COOKIE ['auth ']);

If (ctype_alnum ($ identifier) & ctype_alnum ($ token ))

{

$ Clean ['identifier'] = $ identifier;

$ Clean ['token'] = $ token;

}

Else

{

/*...*/

}

$ Mysql ['identifier'] = mysql_real_escape_string ($ clean ['identifier']);

$ SQL = "SELECT username, token, timeout

FROM users

WHERE identifier = '{$ mysql ['identifier']}' ";

If ($ result = mysql_query ($ SQL ))

{

If (mysql_num_rows ($ result ))

{

$ Record = mysql_fetch_assoc ($ result );

If ($ clean ['token']! = $ Record ['token'])

{

/* Failed Login (wrong token )*/

}

Elseif ($ now> $ record ['timeout'])

{

/* Failed Login (timeout )*/

}

Elseif ($ clean ['identifier']! =

Md5 ($ salt. md5 ($ record ['username']. $ salt )))

{

/* Failed Login (invalid identifier )*/

}

Else

{

/* Successful Login */

}

}

Else

{

/* Failed Login (invalid identifier )*/

}

}

Else

{

/* Error */

}

?>

You must restrict the use of permanent logon cookies from three aspects.

1. the Cookie must expire within one week (or less ).

2. it is best to use cookies only for one verification (delete or regenerate after one successful verification)

3. on the server side, the cookie expires within one week (or less ).

If you want the user to be remembered without limit, as long as the user accesses your application more frequently than the expiration time, you can simply generate a new identifier and set a new cookie after each verification.

Another useful principle is that the user must provide a password before performing sensitive operations. You can only allow permanent login users to access your applications without being particularly sensitive. Manual verification is an irreplaceable step before performing some sensitive operations.

Finally, you need to confirm that the user logging out of the system is logged out, including deleting the permanent logon cookie:

The code is as follows:

　　

Setcookie ('auth', 'deleteed! ', Time ());

?>

In the preceding example, the cookie is filled with useless values and is set to expire immediately. In this way, even if a user's clock is inaccurate and the cookie remains valid, the user can exit effectively.

Login PHP permanent login, Remember Me Function implementation methods and security practices this article mainly introduces PHP permanent login, remember me function...