Remember the password.

This function is a security risk. I don't think it is allProgramEveryone knows how to design this. The general design is: if you select this function, the system will generate a cookie. The cookie includes the user name and a fixed hash value. This fixed hash value is always used. In this way, you can log on to all devices and customers, and multiple users can log on at the same time. This is not very safe. The following are some safer methods for your reference:

1) store three things in cookies --User Name,Logon Sequence,Login token.

User Name: Plaintext storage.
Logon Sequence: A random number hashed by MD5,Update only when the user is forced to enter the password (for example, the user has modified the password).
Login token: A random number hashed by MD5,Valid for only one logon session. The new logon session will update it..

2) The above three items will exist on the server. The server's verification user needs to verify these three items in the client cookie.

3) what kind of effect will this design have,

A)Login tokenIs a single instance login. This means that a user can only have one login instance.

B) logon sequence is used for theft detection. If a user's cookie is stolen and the hacker uses this cookie to access the website, the system considers it as a legal user and then updates " login token ", when a real user returns for access, the system finds that only the " username " and " logon sequence " are the same, however, " login token " is incorrect. In this way, the system will know that this user may be stolen. Therefore, the system can clear and change the logon sequence and logon token , in this way, all cookies can be invalidated and the user is required to enter the password. And warn the user of system security.

4) Of course,There are still some problems with the above design, such as logging on to different devices of the same user, or even using different browsers on the same device.. One device willLogin tokenAndLogon SequenceFailure, so that other devices and browsers need to log on again, and may cause Cookie Theft. Therefore, you still need to consider-IP address,

A) if you log on using a password, we do not need to update the"Logon SequenceAndLogin token"(But the Cookie needs to be updated ). Because we think the password is only known to real users.

B) IfSame IP AddressThen, we do not need to update the"Logon SequenceAndLogin token"(But the Cookie needs to be updated ). Because we think that the same user has the same IP address (of course, the same IP address also exists in the same LAN, but we think this LAN can be controlled by users. This function is not recommended in Internet cafes ).

C) if (Different IP addresses&&Login without a password), Then,"Login tokenIt will change between multiple IP addresses (the logon token is changed back and forth between two or more IP addresses). After a certain number of times, the system will feel very likely to be stolen, and the system will clear"Logon SequenceAndLogin token"To invalidate the cookie and force the user to enter the password (or ask the user to change the password) to ensure that the cookies on multiple devices are consistent.

I think this is a good solution. The illusion of Cookie Theft can even be achieved through "self-defeating" functions such as QQ's login users crowding out previous login users.

This article reposted from: http://coolshell.cn/articles/5353.html (will you do web user login function)