Security Cookie Login Status design scheme

We know that the Web is based on the HTTP protocol transmission, clear text transmission is extremely dangerous, any grab packet tool analysis under the packet, over, an encrypted transmission process should include two parts, part of the identity authentication, the user to identify the authenticity of this user, and the other part of the data encryption for the confidentiality of data. I probably did this: (1) Generate user authentication token    User login I will generate a token, which may consist of the following information: Username+ip+expiration+salt "Just for example", Then the composing information is encrypted with the reversible encryption function to get token, and the token is saved to the database and written to the cookie; (2) Finally, to verify the information, the user's login status    will be token decryption, verify the user username, if present, continue Then verify that the token is the same as the token stored in the database, if the same continues, the validity period of the cookie is expiration, if it is valid, verify that the IP changes, if the change jumps into the login ... You can even verify the user agent. (3) can be done single-terminal login, you can put tokens into the database, each login operation will inevitably change the value of token, the other end of the user will be token verification failure downline last description: 1. The above guarantees that tokens will be different every time you log in, which leads to the previous token " Neither cookie "expiration 2.cookie is valid for a maximum of one week

Security Cookie Login Status design scheme