The principle and example of PHP cookie recording login information

That's probably what I did:

(1) Generate user authentication token
After the user logs in I will generate a token that token may consist of the following information: Username+ip+expiration+salt "Just an example", then encrypt the composition information to the token with a reversible cryptographic function and save the token to the database. Write cookies;

(2) The last way to check the information to determine the user's login status
Decrypt the token, verify that the user username, if present, continue, and then verify that token is the same as the token in the database, if the same continues; Verify that the validity of the cookie is expiration, if it is valid to continue, verify that the IP is changing, and if the change jumps into the login ... You can even verify the user agent.

Example

PHP Session Application Instance--Login authentication:

The code is as follows

Copy Code

<title>Login</title> <meta http-equiv= "Content-type" content= "text/html; charset=gb2312 "> <body> <form name= "Form1" method= "Post" action= "login.php" > <table width= "border=" 0 "align=" center "cellpadding=" 2 "cellspacing=" 2 "> <tr> &LT;TD width= "><div" align= "right" > Username:</div></td> &LT;TD width= "><input" type= "text" name= "username" ></td> </tr> <tr> <td><div align= "Right" > Password:</div></td> <td><input type= "password" name= "passcode" ></td> </tr> <tr> <td><div align= "Right" >cookie save time:</div></td> <td><select name= "Cookie" id= "Cookie" > <option value= "0" selected> Browser process </option> <option value= "1" > Save 1 days </option> <option value= "2" > Save 30 days </option> <option value= "3" > Save 365 days </option> </select></td> </tr> </table> <p align= "center" > <input type= "Submit" name= "submit" value= "Submit" > <input type= "reset" name= "reset" value= "reset" > </p> </form> </body> --------------------------------------------------------------------------------------------------------------- ---------- <?php @mysql_connect ("localhost", "root", "1981427")//Select database before you need to connect to the database server Or Die ("Database server Connection Failed"); @mysql_select_db ("test")//Select Database MyDB Or Die ("database does not exist or not available"); Get user input $username = $_post[' username ']; $passcode = $_post[' passcode ']; Execute SQL statement to get the value of the session $query = @mysql_query ("Select Username, userflag from users" ." where username = ' $username ' and passcode = ' $passcode ') Or Die ("SQL statement execution failed"); Determine if the user exists and the password is correct if ($row = mysql_fetch_array ($query)) { Session_Start (); Mark the beginning of the session Determines whether the user's permission information is valid, or if 1 or 0 is valid if ($row [' userflag '] = = 1 or $row [' userflag '] = = 0) { $_session[' username ' = $row [' username ']; $_session[' userflag ' = $row [' Userflag ']; echo "<a href=" main.php "mce_href=" main.php "> Welcome to login, click here to enter the Welcome interface </a>"; } else//If the permission information is invalid output error message { echo "User right information is incorrect"; } } else//If the username and password are incorrect, the output error { echo "User name or password error"; } ?> --------------------------------------------------------------------------------------------------------------- ---------- <?php Session_Start (); unset ($_session[' username ')); unset ($_session[' passcode ')); unset ($_session[' Userflag ')); Finally completely destroy session. Session_destroy (); echo "Logout success"; ?> <?php Initializes the session. Session_Start (); /*** Delete all Session variables ... Unset ($_session[xxx]) can also be deleted individually. ****/ $_session = Array (); /*** deletes the Sessin ID. Because the session defaults to cookies, use Setcookie to delete the cookie.***/that contains the session ID if (Isset ($_cookie[session_name ())) { Setcookie (Session_name (), ', Time ()-42000, '/'); } Finally completely destroy session. Session_destroy (); ?> From this we can draw the step of deleting the session: ①session_start () ②$_session=array ()/unset ($_session[' xxx ') ③session_destroy () --------------------------------------------------------------------------------------------------------------- ---------- <?php Session_Start (); if (isset ($_session[' username ')) { @mysql_connect ("localhost", "root", "1981427")//Select database before you need to connect to the database server Or Die ("Database server Connection Failed"); @mysql_select_db ("test")//Select Database MyDB Or Die ("database does not exist or not available"); Get session $username = $_session[' username ']; Execute SQL statement to get Userflag value $query = @mysql_query ("Select Userflag from Users" ." where username = ' $username ') Or Die ("SQL statement execution failed"); $row = Mysql_fetch_array ($query); The information in the current database is judged by comparison with the message in the session, and the session information is updated if different. if ($row [' Userflag ']!= $_session[' Userflag ']) { $_session[' userflag ' = $row [' Userflag ']; } Output different welcome information according to the session value if ($_session[' userflag '] = = 1) echo "Welcome admin". $_session[' username '. " Login System "; if ($_session[' userflag '] = = 0) echo "Welcome user". $_session[' username '. " Login System "; echo "<a href=" logout.php "mce_href=" logout.php "> Logoff </a>"; } Else { echo "You do not have permission to access this page"; } ?> --------------------------------------------------------------------------------------------------------------- ---------- -------------------------------------------------------------Cookie Logon Authentication instance--------------------------------------------- <title>Login</title> <meta http-equiv= "Content-type" content= "text/html; charset=gb2312 "> <body> <form name= "Form1" method= "Post" action= "login.php" > <table width= "border=" 0 "align=" center "cellpadding=" 2 "cellspacing=" 2 "> <tr> &LT;TD width= "><div" align= "right" > Username:</div></td> &LT;TD width= "><input" type= "text" name= "username" ></td> </tr> <tr> <td><div align= "Right" > Password:</div></td> <td><input type= "password" name= "passcode" ></td> </tr> <tr> <td><div align= "Right" >cookie save time:</div></td> <td><select name= "Cookie" id= "Cookie" > <option value= "0" selected> Browser process </option> <option value= "1" > Save 1 days </option> <option value= "2" > Save 30 days </option> <option value= "3" > Save 365 days </option> </select></td> </tr> </table> <p align= "center" > <input type= "Submit" name= "submit" value= "Submit" > <input type= "reset" name= "reset" value= "reset" > </p> </form> </body> --------------------------------------------------------------------------------------------------------------- ---------- <?php @mysql_connect ("localhost", "root", "1981427")//Select database before you need to connect to the database server Or Die ("Database server Connection Failed"); @mysql_select_db ("test")//Select Database MyDB Or Die ("database does not exist or not available"); Get user input $username = $_post[' username ']; $passcode = $_post[' passcode ']; $cookie = $_post[' Cookie ']; Execute SQL statement $query = @mysql_query ("Select Username, userflag from users" ." where username = ' $username ' and passcode = ' $passcode ') Or Die ("SQL statement execution failed"); Determine if the user exists and the password is correct if ($row = mysql_fetch_array ($query)) { if ($row [' userflag '] = = 1 or $row [' userflag '] = = 0)//Determine whether the user rights information is valid { Switch ($cookie)//Set cookie save time based on user's choice { Case 0://Save cookie for browser process Setcookie ("username", $row [' username ']); Break Case 1://Save 1 days Setcookie ("username", $row [' username '], time () +24*60*60); Break Case 2://Save 30 days Setcookie ("username", $row [' username '], time () +30*24*60*60); Break Case 3://Save 365 Days Setcookie ("username", $row [' username '], time () +365*24*60*60); Break } Header ("location:main.php"); Auto Jump to main.php } Else { echo "User right information is incorrect"; } } Else { echo "User name or password error"; } ?> --------------------------------------------------------------------------------------------------------------- ---------- <?php Session_Start (); if (isset ($_cookie[' username ')) { @mysql_connect ("localhost", "root", " 1981427 ")     //Select database before you need to connect to the database server or Die (" Database server Connection Failed "); @mysql_select_db (" test ")      //Select database MyDB or Die ("database does not exist or unavailable"); //Get session $username = $_cookie[' Username ']; //Execute SQL statement get Userflag value $query = @mysql_query (select Userflag from Users .) where username = ' $username ') or Die ("SQL statement execution failed"); $row = Mysql_fetch_array ($query); //Get user rights information $flag = $ row[' Userflag ']; //Output different welcome information according to the value of Userflag if ($flag = = 1) echo "Welcome administrator". $_cookie[' username '. " Login System "; if ($flag = = 0) echo "Welcome user". $_cookie[' username '. " Login System "; echo "<a href=" logout.php "mce_href=" logout.php "> Logoff </a>"; } Else { echo "You do not have permission to access this page"; } ? --------------------------------------------------------------------------------------------------------------- ---------- <?php Setcookie ("username"); echo "Logout success"; ?>

Final Note:

1. The above guarantee that token each login will be different, this time leading to the previous token "both cookies" invalid

2.cookie is best valid for less than a week

3. Save the User ID and a password in the client cookies (rules only I know)

4. If the program detects the client's stored cookie ID. To verify with the database password, if consistent, return the corresponding user login information, otherwise return false

It's not good to feel efficient or safe.

1. Users visit each page to verify with the database
2. Although the rule is very complex, save on the client still exists the possibility of being cracked