Session cookie for automatic login (next automatic login)

You will find that you only need to check this box when logging on (ps: it is best to use label + for your prompt text ), even if you close your browser and re-open it again or "logged on", you may also know that most websites use session record identifiers because cookie records are not secure and can be forged, so the session will be cleared when the browser is closed. What about the record ID? Go on, and look down.
Session + cookie verification login
The general idea is to record the session id after successful login and write the cookie according to the relevant parameters. Of course, it does not contain important information. Each time the user refreshes the page, the session will be determined. If no, then the cookie is determined. If it is correct, the database is checked and written into the session. The pseudocode is like this:
Initialize each page
Enable session;

If (session exists ){
// Log on
} Else {
If (specified cookie exists ){
// Decrypt the cookie
If (matched successfully ){
// Query the database
If (with this user ){
// Write the session. Whether or not to update the cookie information
} Else {
// Do you want to enter my website?
            }
} Else {
// A small sample. Do you still want to forge a cookie? GA
        }
} Else {
// No logon is considered here
    }
}

// The user logon status is displayed.
Logon page tracking
Enable session;

If (verified by various forms ){
// Write the session, extract the unsensitive information such as uid and uname, and add your own key to generate a unique token code. Write the cookie in base64 mode. In this case, restart the browser or use it after the session expires.
}
However, have you found that, if you are a normal user and are not logged on, the initialization code above will be judged on every page, and it may not feel very handsome and may be forged by others, it would be even worse if $ is involved in the site, so let's change it:
Session permission classification
We set the session id. 0 indicates that the user is not logged on, 1 indicates that the user is logged on, and 2 indicates that the user is logged on using cookies (so that the user can be verified again ), then we need to modify our pseudo code.
Page initialization
Enable session;

If (session exists ){
If (session> 0 ){
// If the value is greater than 0, the user is logged on.
} Else {
// This indicates no logon. The status code is left when the cookie verification fails.
    }
} Else {
// Verify that the session does not exist, but the cookie may exist.
If (cookie exists ){
// Decrypt it here
If (successful ){
// Query the database
If (successful ){
// Session = 2. Why = 2? Because it indicates that this login method uses cookies to verify the login, so that you can verify the login again during security operations.
} Else {
// Session = 0
            }
} Else {
// Session = 0
        }
} Else {
// If the cookie does not exist, it is considered as not logged on. Here, the session id is set to 0 to facilitate next verification.
    }
}
Logon page tracking
Enable session;

If (verified by various forms ){
// Session = 1. It indicates that the logon method is normal and the token is generated and saved to the cookie for the next use.
}
Verify important operations, such as transactions.
Enable session;

If (session = 2 ){
// Pop up the logon layer or jump to the logon page to verify again. Does it look like taobao.com?
}
As a result, the actual method of token encryption depends on the project, but we recommend that you do not use sensitive information, because cookies you know...
You may think of these problems
Q: Can this method be used after the cookie is cleared?
A: Yes. The current mainstream websites, as long as you clear the cache, the cache here includes everything, such as cookie, localStorage, sessionStorage, userDB, Web SQL, IndexdDB, etc. You can restart your browser again, I don't believe you are logged on... (ps: What, really? Please leave a message to me. Thank you)
Q: Can I log on directly using cookies?
A: theoretically, as long as the user knows your encryption method, it is OK to write a cookie. However, it is recommended that you log on again for verification. Of course, it can only be said that you have been clicked...
Q: I copied someone's cookie, but didn't I log on directly?
A: In theory, it is true. This may involve injection and attacks. If so, if it is not necessary to encrypt browser-related information + system-related information into the token, when decryption is performed, the browser determines... it feels complicated...