Php implements authentication instance through session control and session Authentication

Php implements authentication instance through session control and session Authentication

The idea of session control is that users can be tracked based on a session on a website. The detailed code is compiled here. If you need it, you can refer to it.

Overview

The http protocol is stateless. For each request, the server cannot distinguish users. PHP session control is to give users a key (an encrypted session string), and this is also a proof of user identity. The server stores the box (database, memory Database or files), the box contains the user's variable information.

Traditional php session usage

<? Php // page1.php starts a SESSION and registers a variable session_start (); $ _ SESSION ['user _ var'] = "hello, codekissyoung! "; // Here we can understand $ _ SESSION as a user's box. The actual implementation is a small file generated by php on the server side?>

<? Php // page2.phpsession _ start (); echo $ _ SESSION ['user _ var']; // use the key to access the variable $ _ SESSION ['user _ var'] = "bey, codekissyoung! ";?>

<? Php // page3.php destroys the key. Generally, when you log out, access the page3.php file session_start (); session_destroy ();?>

Ask a question. What about the key? Didn't you see the operation for the user key?

This operation is behind php. Since you visit page1.php to run the program session_start (), php will follow the conditions (user ip address, browser number, generate a PHPSESSID variable. After http response Returns to the client, the PHPSESSID will already exist in your browser cookie. Every time you access this domain name again, the PHPSESSID will be sent to the server. This PHPSESSID is the user key I mentioned here.

Another question is: Is PHPSESSID Security easy to steal, forge, or tamper?

Https can be used to prevent tampering. Instead of using PHPSESSID, you can generate a secret key to prevent forgery. I have never studied whether it is easy to be stolen. For example, if your computer is connected to the Internet, hackers intrude into your computer.

Store the generated key in the browser cookie.

• Set cookie
• SetCookie ('key', 'value', time () + 3600 );
• Delete cookie
• SetCookie ('key', '', time ()-1 );

Single Sign-On: session sharing

Single Sign-On: multiple subsystems share a set of user verification systems. You can access all subsystems by logging on to one of them.

Suppose that the php environment of server A and server B is the same. The user obtained his key on server A, and then he took the key to access server B. Do you know server B?

Obviously, the key generated by server A is not recognized by the server.

Solution: no matter the user accesses A or B, the generated keys are stored in C (the same database or cache system). When the user accesses A or B again, both A and B ask C: Is this user's key correct? If yes, you can use the boxes that exist in A or B.

<? Phpsession_regenerate_id (); // reset the session character $ session_info = array ('uid' => $ uid, 'session' => session_encrypt (session_id (). time (); // save $ session_info to C?>

The following is an example of php Authentication through session control.

Authentication application subject: authmain. PHP

<? Php // enable a session session_start (); if ((! Isset ($ userid) | (! Isset ($ password) {$ userid =$ _ POST ['userid']; $ password =$ _ POST ['Password']; // connect to the database $ db_conn = new mysqli ("localhost", "root", "", "auth"); if (mysqli_connect_errno () {echo 'failed to connect to the database: '. mysqli_connect_error (); exit () ;}// execute the SQL query statement $ query = "SELECT * FROM authorized_users WHERE name = '". $ userid. "'and password = sha1 ('". $ password. "')"; $ result = $ db_conn-> query ($ query); if ($ result-> num_rows> 0) {// register a session variable $ _ S ESSION ['valid _ user'] = $ userid;} // disconnect the database $ db_conn-> close () ;}?> <! DOCTYPE html> 
Valid Website user check: members_only.php

<! DOCTYPE html> 
Log out of session variables and destroy the session: logout. php

<? Php // enable SESSION session_start (); $ olduser =$ _ SESSION ['valid _ user']; // unset the SESSION variable ($ _ SESSION ['valid _ user']); // destroy SESSION session_destroy ();?> <! DOCTYPE html> 
The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.