How do you write your login functions? I know that the user name is used to query the password. if the user name is correct, the login is successful, and then the user ID and user name are saved using cookies. Is this simple? What is the further approach? ------ Solution -------------------- all do this! The user queries the data and then compares the passwords in the data. The passwords are encrypted! COOKIES and nbsp; do not work. how do you write your logon functions?
I know that the user name is used to query the password. if the user name is correct, the login is successful, and then the user ID and user name are saved using cookies.
Is this simple? What is the further approach?
------ Solution --------------------
This is all done!
The user queries the data and then compares the passwords in the data. The passwords are encrypted!
The COOKIES will not work. your method is too simple. It should be encrypted, including user UID and time IP!
During access, the program decrypts the data according to the COOKIE, and then compares it with the database, is it the same person login?
------ Solution --------------------
You may need to add some permission verification and so on. Generally, an application contains the permission management module. Then it is necessary to verify the permissions in the login process. For more information, see the source code.
------ Solution --------------------
The simplest thing is to verify the user name and password, and then you can add the verification code and not log on at the same time to verify whether it is in the background blacklist.
You can also limit the number of wrong user names or passwords entered by users. if there are too many errors, you will be unable to log on to the system for a certain period of time. In fact, there are still a lot of things that can be added to the login function ..
------ Solution --------------------
Do not use SQL injection.
SELECT count(*) FROM user WHERE un = 'xxx' and pw = 'xxx'
This method
Instead, query the specified user name first.
SELECT pw FROM user WHERE un = 'xxx'
Determine whether the number of returned results is greater than zero
Then, use the password (pw) to determine if it is correct.
------ Solution --------------------
Reference:
Do not use SQL injection.
SELECT count(*) FROM user WHERE un = 'xxx' and pw = 'xxx'
This method
Instead, query the specified user name first.
SELECT pw FROM user WHERE un = 'xxx'
Determine whether the number of returned results is greater than zero
Then, use the password (pw) to determine if it is correct.
This is correct. this is the basic login function implementation method.
It seems like we are new people. let me talk about our experience. generally, cookies are not used in the logon status. it should be session. what should I do if the cookie is used tightly? Have you considered that cookies are vulnerable to attacks on the network? of course, do not save the passwords. For the sake of security, the session will also be applied. cookie_httponly: when it comes to the verification code, the most humane way is to enter the verification code after the wrong one. many large websites do the same, and then collect statistics on user logon failures, lock the user for 1 hour as needed before the operation.
------ Solution --------------------
Reference:
Quote: reference:
Do not use SQL injection.
SELECT count(*) FROM user WHERE un = 'xxx' and pw = 'xxx'
This method
Instead, query the specified user name first.
SELECT pw FROM user WHERE un = 'xxx'
Determine whether the number of returned results is greater than zero
Then, use the password (pw) to determine if it is correct.
Why? Are they all the same?
Filter variables when receiving them to prevent the design from being out of SQL.
------ Solution --------------------
My is simpler than yours...
It is basically based on LDAP authentication ..
Therefore, you only need to judge the input and verify it again.
The verification is passed and the database determines whether the database has the id. if there is no such id, the database will be retrieved from LDAP and written into the database... if there is one, the relevant information will be directly returned to the session...
------ Solution --------------------
Reference:
The simplest thing is to verify the user name and password, and then you can add the verification code and not log on at the same time to verify whether it is in the background blacklist.
You can also limit the number of wrong user names or passwords entered by users. if there are too many errors, you will be unable to log on to the system for a certain period of time. In fact, there are still a lot of things that can be added to the login function ..
Correct solution, password encryption, decryption and reading
