Home > Developer > Web Develop
The automatic login of the website has always been a useful feature to improve the user experience, and it is very easy to disclose the user's account information if the design is not good.
A more common feature implementation is to keep the user's login information in the browser's cookie. It is dangerous to see websites with flawed designs that store user names and password information in cookies. Although this design is relatively simple, the function is easier to implement, but greatly improve the risk of leaking user account information, even if the user password saved information is encrypted, but it is not advisable, after all, now weak password encryption can be decrypted.
Of course, the feature design of automatic login must keep the account login voucher (token) in the browser's cookie, which is the login key which is logged as the user. When the user is logged in, the token sent by the browser is compared with the token stored on the server side, and if the 2 tokens are identical, the verification fails if it is inconsistent.
token generation is best to have a certain randomness, you can join the date, random number and so on, and then through some irreversible algorithm encryption, such as:
?| 1 | String token = Utils.MD5(user.getUsername() + System.currentTimeMillis()); |
Sample token will not reveal the user's information, security has been guaranteed. After token is generated, it is saved to the database for later verification, then sent to the browser and saved in the client's cookie. The reference code is as follows, where the cookie is valid for 10 days, and after 10, the cookie expires:
?| 1234 | cookie Cookietoken = new Cookie ( "token" cookietoken.setpath ( "/" |
When a user logs into our website and views the cookie information in a browser, a token record will be found:
At this point token value is the above code in the MD5 encrypted value, the role domain name for our website domain name (here is the test environment, so here the domain name is localhost), the valid path is/, that is, the root directory, valid until December 27, 2013.
Depending on the mechanism by which the browser manages cookies, when a user logs on to our site again after exiting the login, the browser will still bring the cookie information as shown in the URL that is sent to the server, as in:
The following is the implementation code of the user request login page under the Spring MVC Framework (the function here should be added to the filter to detect if the login is logged in, because each request of the user verifies that the user is logged in, and if not logged in, the token can be verified. Automatic login via token):
?| 123456789101112 | |
browser in the request login interface, will take token, this time the server side of the program will get this token, if the token exists and is not empty, it will be stored in the database token to compare, if the same, through authentication, the login is successful, if inconsistent, the login failed.
Verification success: Update token, also say a token can only login to verify once, the verification succeeds, will replace the new token
Validation failed: Jump to login page
For most of the site, such a design can basically ensure that the user's account security, if the security is higher, you can join the authentication of the access IP at the same time, so that authentication mechanism is token + IP dual inspection. The disadvantage is that the accuracy of IP access is not enough, if the user before the use of proxy access, then the front and back IP is inconsistent, unable to automatically log in.
Website automatic login function design [go]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
