PHP to implement secure automatic login ____php

The implementation of the

    PHP automatic login is generally used for state validation with cookies. Online and Ecshop system for the realization of automatic login specifically to set the cookie uid, username, password

View copy print//Check whether the user is logged in    function checklogin () {    if (emptyempty $_session[' User_ Info ']) {    //Check to see if the session is empty     if (emptyempty ($_cookie[' username '))   ||  emptyempty ($_cookie[' password ')) {  //If the session is empty and the user does not select Log login     header (" Location:login.php?req_url= ". $_server[' Request_uri ');   //go to the login page, record the requested URL, log in and jump past, the user experience is good.     }else{   //users have chosen to remember the login status      $user  = getuserinfo ($_ cookie[' username '],$_cookie[' password ')    //to fetch the user's profile     if (Emptyempty ($user)) {     //username password not to fetch information, go to login page     header ("location:login.php?req_url=". $_server[ ' Request_uri '];    }else{    $_session[' user_info '] =  $user;    //username and password, put the user's profile inside the session     }    }      

Such settings will leave a lot of security risks, exposing the user information to the system caused by security risks.

A more secure approach is to use one-way encryption and token and salt for the data that needs to be placed inside cookies.

1.cookie Name: UID. Recommended for encryption, such as MD5 (' site name ').
2.cookie value: Login name | valid time Expires|hash value. The hash value can be a "login + Active Time expires+ The first few +salt of the user's password (encrypted)", and the salt is a random number that is guaranteed to be in the server-side site configuration file.
This design has the following advantages:
1. Even if the database is stolen, the user cannot log on to the system because the salt that makes up the cookie value is guaranteed to be in the server site configuration file rather than the database.
2. If the account is stolen, the user modifies the password to invalidate the cookie value of the person who embezzled it.
3. If the server-side database is stolen, modifying the salt value can invalidate all user's cookie values, forcing the user to log on to the system again.
4. Effective time expires can be set to the current time + past time (such as 2 days), so as to ensure that each login cookie value is not the same, prevent the user prying into their own cookie value after the back door, long-term login.