PHP Permanent login, remember my functional implementation methods and security practices _php Tutorial

PHP Permanent login, remember my feature implementation methods and security practices

　PHP Permanent login, remember my feature implementation methods and security practices

This article mainly introduces the PHP permanent login, remember my functional implementation methods and security practices, this article focuses on the use of database to achieve more secure permanent login, remember my function, the need for friends can refer to the next

Permanent login refers to the mechanism of continuous validation between browser sessions. In other words, today's logged-on user is still logged on tomorrow, even if the user session between multiple accesses expires. The presence of a permanent login reduces the security of your authentication mechanism, but it increases usability. Instead of bothering the user for authentication every time they visit, it provides the option to remember the login.

According to my observation, the most common and flawed permanent login scheme is to keep the username and password in a cookie. The temptation to do this is understandable-you don't need to prompt the user for a user name and password, you simply read them from the cookie. The other parts of the verification process are exactly the same as normal logins, so this scenario is a simple scenario.

But if you do have a cookie in your username and password, turn it off immediately, and read the rest of this section to find some ideas for a more secure solution. You will also need to ask all users who use the cookie to change their passwords in the future, as their verification information is exposed.

Permanent login requires a permanent login cookie, often called a validation cookie, because cookies are the only standard mechanism used to provide stable data between multiple sessions. If the cookie provides permanent access, it poses a serious risk to the security of your app, so you need to make sure that the data you keep in the cookie can only be used for authentication for a limited period of time.

The first step is to design a method to mitigate the risk caused by the captured persistent login cookie. Although cookie capture is something you need to avoid, it is best to have a deep-guard process, especially since this mechanism reduces the security of the verification form even when everything is working properly. In this way, the cookie cannot be generated based on any information that provides a permanent login, such as a user password.

To avoid using a user's password, you can establish an identity that is valid only once for validation:

The code is as follows:

　　

$token = MD5 (Uniqid (rand (), TRUE));

?>

You can save it in a user's session to associate it with a specific user, but this does not help you keep the login between multiple sessions, which is a major premise. Therefore, you must use a different method to associate this identity with a specific user.

Because the user name is less sensitive than the password, you can put it in a cookie, which can help the validator verify which user's identity is provided. However, a better approach is to use a second identity that is not easy to guess and discover. Consider adding three fields to the data table that holds the user name and password: second identity (identifier), permanent login identifier (token), and a permanent login timeout (timeout).

The code is as follows:

mysql> DESCRIBE users;

+------------+------------------+------+-----+---------+-------+

| Field | Type | Null | Key | Default | Extra |

+------------+------------------+------+-----+---------+-------+

| Username | varchar (25) | | PRI | | |

| password | varchar (32) | YES | | NULL | |

| identifier | varchar (32) | YES | MUL | NULL | |

| Token | varchar (32) | YES | | NULL | |

| Timeout | Int (Ten) unsigned | YES | | NULL | |

+------------+------------------+------+-----+---------+-------+

By generating and saving a second ID and a permanent login ID, you can create a cookie that does not contain any user authentication information.

The code is as follows:

　　

$salt = ' Shiflett ';

$identifier = MD5 ($salt. MD5 ($username. $salt));

$token = MD5 (Uniqid (rand (), TRUE));

$timeout = time () + 60 * 60 * 24 * 7;

Setcookie (' auth ', "$identifier: $token", $timeout);

?>

When a user uses a permanent login cookie, you can check if it meets several criteria:

The code is as follows:

　　

/* mysql_connect () */

/* MYSQL_SELECT_DB () */

$clean = Array ();

$mysql = Array ();

$now = time ();

$salt = ' Shiflett ';

List ($identifier, $token) = Explode (': ', $_cookie[' auth ');

if (Ctype_alnum ($identifier) && ctype_alnum ($token))

{

$clean [' identifier '] = $identifier;

$clean [' token '] = $token;

}

Else

{

/* ... */

}

$mysql [' identifier '] = mysql_real_escape_string ($clean [' identifier ']);

$sql = "Select username, token, timeout

From users

WHERE identifier = ' {$mysql [' identifier ']} ';

if ($result = mysql_query ($sql))

{

if (mysql_num_rows ($result))

{

$record = Mysql_fetch_assoc ($result);

if ($clean [' token ']! = $record [' token ']

{

/* Failed Login (wrong token) */

}

ElseIf ($now > $record [' Timeout ']

{

/* Failed Login (Timeout) */

}

ElseIf ($clean [' identifier ']! =

MD5 ($salt. MD5 ($record [' username ']. $salt)))

{

/* Failed Login (invalid identifier) */

}

Else

{

/* Successful Login */

}

}

Else

{

/* Failed Login (invalid identifier) */

}

}

Else

{

/* Error */

}

?>

You should insist on restricting the use of permanent login cookies from three aspects.

1.Cookie needs to expire within a week (or less)

2.Cookie is best used only once for verification (delete or regenerate after a successful validation)

3. Limit cookies to expire within one week (or less) on the server side

If you want the user to be remembered without restriction, then simply regenerate the identity and set a new cookie after each validation, as long as the user's access to your app is greater than the expiration time.

Another useful principle is that users are required to provide a password before they can perform sensitive operations. You can only allow permanently logged-in users to access features that are not particularly sensitive in your app. It is an irreplaceable step to have the user manually authenticate before performing some sensitive operations.

Finally, you need to confirm that the user of the logout system is indeed logged out, which includes deleting the persistent login cookie:

Copy the code code as follows:

　　

Setcookie (' auth ', ' deleted! ', Time ());

?>

In the above example, the cookie is populated with useless values and set to expire immediately. In this way, even if a user's clock is not allowed to keep the cookie valid, it will ensure that he exits effectively.

http://www.bkjia.com/PHPjc/990992.html www.bkjia.com true http://www.bkjia.com/PHPjc/990992.html techarticle PHP Permanent Login, remember my feature implementation methods and security practices PHP Permanent login, remember my feature implementation methods and security practices This article mainly introduces the PHP permanent login, remember my features ...

