PHP implements authentication instances through session control

Source: Internet
Author: User
Tags php session setcookie
This article describes the implementation of PHP through session control authentication instance, identity verification is through the session to submit data. A friend in need can come to know.

The idea of session control is to be able to track users in a Web site based on a session. Here the detailed code, the need for small partners can refer to the next.


The HTTP protocol is stateless, and for each request, the server cannot differentiate the user. PHP session control is to give the user a key (a cryptographic session string), and this is also a proof of user identity, the server store the key can open the box (database, memory database or use files), the box contains the user's various variables information.

The traditional PHP session uses

<?php//page1.php initiates a session and registers a variable session_start (); $_session[' user_var '] = "hello,codekissyoung!"; /Here the $_session can be understood as the user's box, the actual implementation is PHP on the server-side generated small files?>

<?php//page2.phpsession_start (); Echo $_session[' User_var '];//through the key to access the variable inside his box $_session[' user_var '] = "Bey, Codekissyoung! ";? >

<?php//page3.php destroy the key, generally when the user logs off, access to page3.php file Session_Start (); Session_destroy (); >

Ask a question, where is the key? Did not see the user key operation Ah?

This operation is PHP behind to help us do, since you visit the page1.php program run, session_start (); This sentence, PHP will be based on some of the conditions (User IP, browser number, time, etc.) to generate a PHPSESSID variable, http Response back to the client, the PHPSESSID already exists in your browser cookie, each time you visit the domain name, the PHPSESSID will be sent to the server. This phpsessid is the user key I'm talking about here.

Another question, the security of this PHPSESSID, is it easy to steal, is it easy to forge, is it easy to tamper with?

Use Https to prevent tampering. Instead of using PHPSESSID, you generate a secret key to the user to prevent forgery. As to whether it is easy to be stolen, it is really not how much research. For example, if your computer is attached to a network, hackers invade your computer.

Store the generated keys in a browser cookie

    • Set cookies

    • Setcookie (' key ', ' value ', Time () +3600);

    • Delete Cookies

    • Setcookie (' key ', ' ', Time ()-1);

Implement single Sign-On: Session sharing

Single Sign-on: A user authentication system is shared between multiple subsystems, and in one place you can access all subsystems.

Imagine a scenario where Server A is consistent with the PHP environment of B. The user gets his key on server A, and then he takes the key to access Server B, does server B know?

Obviously not, server A generates the key that the server does not recognize.

WORKAROUND: If the user accesses a or B, the generated keys are stored in C (same database, or cache system), when the user accesses a or B again, both A and B ask C: The user's key, right? Yes, users can use their own boxes where a or B is present.

<?PHPSESSION_REGENERATE_ID ();//reset session character $session_info=array (' uid ' = = $uid, ' Session ' =>session_encrypt ( session_id (). time ());//The next step is to save the $session _info to C?>

Here's how PHP implements the authentication instance through session control

Authentication application Principal: Authmain. Php

<?php//Open a session session_start (); if ((!isset ($userid)) | | (!isset ($password)))   {$userid =$_post[' userid ']; $password =$_post[' password ']; Connect the database $db _conn=new mysqli ("localhost", "root", "" "," auth ");   if (Mysqli_connect_errno ()) {echo ' connection to database failed: '. Mysqli_connect_error (); Exit (); }//Execute SQL query Statement $query = "SELECT * from Authorized_users WHERE name= '". $userid. "' and Password=sha1 ('". $password. "')"; $result = $db _conn->query ($query); if ($result->num_rows>0) {//Register a Session variable $_session[' valid_user ']= $userid;}//Disconnect database connection $db _conn->close (); }?> <!  DOCTYPE html> 

Valid user check for website: members_only.php

<! DOCTYPE html> 

Unregister session variable and destroy session: logout.php

<?php//Enable session session_start (); $olduser =$_session[' Valid_user ']; Unregister Session variable unset ($_session[' valid_user '); Destroy session Session_destroy ();?> <! DOCTYPE html> 

Summary: The above is the entire content of this article, I hope to be able to help you learn.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.