PHP Permanent login, remember my functional implementation methods and security practices

PHP Permanent Login, remember my functional implementation methods and security practices

This article mainly introduces the PHP permanent login, remember my function implementation methods and security practices, this article focuses on the use of the database to achieve a more secure permanent login, remember my function, need friends can refer to the

Permanent login refers to the mechanism for continuous validation between browser sessions. In other words, today's logged-in user is still logged on tomorrow, even if the user session between multiple accesses expires. The presence of permanent logins reduces the security of your authentication mechanism, but it increases availability. Instead of bothering users for authentication each time they visit, it provides a choice to remember logins.

As far as I can see, the most common flawed permanent login scenario is to keep the username and password in a cookie. The temptation to do this is understandable-no need to prompt the user for a username or password, you simply read them from the cookie. The other parts of the validation process are exactly the same as normal logins, so the scenario is a simple one.

But if you do put your username and password in a cookie, turn it off immediately, and read the rest of this section to find some ideas for a more secure scenario. You will also need to require all users who use the cookie to modify the password because their authentication information has been compromised.

Permanent logins require a permanent logon cookie, usually called a verification cookie, because cookies are the only standard mechanism used to provide stable data between multiple sessions. If the cookie provides permanent access, it can pose a serious risk to the security of your application, so you need to make sure that the data you keep in the cookie can be used for authentication only for a limited period of time.

The first step is to design a method to mitigate the risks posed by the captured permanent login cookie. Although cookies are caught as you need to avoid, there is a deep prevention process that is best, especially since this mechanism reduces the security of the validation form even when everything is working properly. In this way, the cookie cannot be generated based on any information that provides a permanent login, such as a user's password.

To avoid using a user's password, you can create an identity that is valid for only one validation:

The code is as follows:

　　

$token = MD5 (Uniqid (rand (), TRUE);

?>

You can save it in a user's session to associate it with a particular user, but that doesn't help you stay logged in between sessions, which is a major premise. Therefore, you must use a different method to associate the identity with a particular user.

Because a user name is less sensitive than a password, you can put it in a cookie to help the validator verify which user's identity is provided. A better approach, however, is to use a second identity that is not easily guessed and discovered. Consider adding three fields to the datasheet that holds the username and password: The second identity (identifier), the permanent login identity (token), and a permanent logon timeout (timeout).

The code is as follows:

mysql> DESCRIBE users;

+------------+------------------+------+-----+---------+-------+

| Field | Type | Null | Key | Default | Extra |

+------------+------------------+------+-----+---------+-------+

| Username | varchar (25) | | PRI | | |

| password | varchar (32) | YES | | NULL | |

| identifier | varchar (32) | YES | MUL | NULL | |

| Token | varchar (32) | YES | | NULL | |

| Timeout | int (a) unsigned | YES | | NULL | |

+------------+------------------+------+-----+---------+-------+

By generating and saving a second identity and a permanent login ID, you can create a cookie that does not contain any user authentication information.

The code is as follows:

　　

$salt = ' Shiflett ';

$identifier = MD5 ($salt. MD5 ($username. $salt));

$token = MD5 (Uniqid (rand (), TRUE);

$timeout = time () + 60 * 60 * 24 * 7;

Setcookie (' auth ', "$identifier: $token", $timeout);

?>

When a user uses a permanent login cookie, you can check to see if a few criteria are met:

The code is as follows:

　　

/* mysql_connect () * *

/* MYSQL_SELECT_DB () * *

$clean = Array ();

$mysql = Array ();

$now = time ();

$salt = ' Shiflett ';

List ($identifier, $token) = Explode (': ', $_cookie[' auth '));

if (Ctype_alnum ($identifier) && ctype_alnum ($token))

{

$clean [' identifier '] = $identifier;

$clean [' token '] = $token;

}

Else

{

/* ... */

}

$mysql [' identifier '] = mysql_real_escape_string ($clean [' identifier ']);

$sql = "Select username, token, timeout

From users

WHERE identifier = ' {$mysql [' identifier ']} ';

if ($result = mysql_query ($sql))

{

if (mysql_num_rows ($result))

{

$record = Mysql_fetch_assoc ($result);

if ($clean [' token ']!= $record [' token '])

{

/* Failed Login (wrong token) * *

}

ElseIf ($now > $record [' Timeout '])

{

/* Failed Login (Timeout) * *

}

ElseIf ($clean [' identifier ']!=

MD5 ($salt. MD5 ($record [' username ']. $salt)))

{

/* Failed Login (invalid identifier) * *

}

Else

{

* Successful Login * *

}

}

Else

{

/* Failed Login (invalid identifier) * *

}

}

Else

{

/* Error * *

}

?>

You should insist on limiting the use of permanent login cookies from three aspects.

1.Cookie needs to expire within one week (or less)

2.Cookie Best for one-time validation (delete or rebuild after a successful validation)

3. Limit cookies to expire in a week (or less) on the server side

If you want the user to be remembered without limitation, simply regenerate the logo and set a new cookie after each validation, as long as the user's access to your application is greater than the expiration time.

Another useful principle is that users are required to provide a password before they perform sensitive operations. You can only allow permanent logged-in users to access features that are not particularly sensitive to your application. It is an irreplaceable step to allow the user to manually authenticate before performing some sensitive operations.

Finally, you need to verify that the logout user is actually logged out, which includes deleting the permanent login cookie:

Copy code code as follows:

　　

Setcookie (' auth ', ' deleted! ', Time ());

?>

In the example above, the cookie is populated with unwanted values and set to expire immediately. In this way, even if a user's clock is not allowed to keep the cookie valid, it can also ensure that he exits effectively.