WeChat account binding

: This article mainly introduces account binding. if you are interested in the PHP Tutorial, refer to it. Address: http://hello1010.com/bind-wechat/

Two-dimensional barcode/two-dimensional code (2-dimen1_bar code) records the data symbol information by using a certain geometric chart that is distributed on a plane (two-dimensional direction) in a regular manner; the concept of "0" and "1" bit streams that constitute the internal logic of computers is cleverly used in code compilation, it uses a number of Ry shapes corresponding to the binary to represent the numerical value of the text. the input device of the image or the photoelectric scanning device can automatically read and read the text for automatic information processing.

In recent years, QR codes have been widely used. The promotion and application of QR codes can be said to be like fish's water, QR code payment, QR code login, QR code business cards, etc. It can be said that the QR code has become an important link for online and offline connections in O2O. Ma GE also said, "The QR code is a key entry for online and offline ".

Nowadays, many websites have established their own complete user account system. In the era of the whole people, it is necessary to consider the development and operation of public accounts, because it provides a good O2O solution, more importantly, it has a benign and continuously improved ecological chain.

After a user pays attention to the public account, there will be some interactions. during the interaction process, the user's identity information (corresponding to the account information of the website) may need to be obtained, for example, placing an order in the public account, query orders. Now the question is: for the same user, how can we establish the correspondence between the public account user (openid) and the website user (userid. This process is called binding.

To simplify the discussion, I have summarized the following two scenarios:

1. the user has registered as a user on our website, but has not followed our public account;
2. the user is not registered, but has followed our public account.

For the above two cases, we will discuss them separately.

Scenario 1

The user has been registered as a user of our website, but has not followed our public account. Here, you need to log on to the website first, and then provide a binding portal in a suitable place, such as in personal settings. The binding process is as follows:

The QR code generation function is used to generate a QR code with parameters.

For the QR code, the official document says:

Currently, there are two types of QR codes: temporary and permanent. The former has an expiration time, up to 1800 seconds, but can generate a large number. The latter has no expiration time, the number is small (currently only 1-parameters are supported ). The two QR codes are applicable to account binding, user source statistics, and other scenarios.

Obviously, it is more appropriate to use a temporary QR code. You can generate a refresh page every time.

Because the two-dimensional code can contain the scene value (scene_id), when the user scans the two-dimensional code with the scene value, the server will push the scene value to our own server. after we get the scene value, you can do the verification and binding logic. Note: generate the service number that requires authentication after the QR code is generated.

A complete binding process should be as follows:

① Log on to the webpage and click "bind account ";
② Interfaces are used in the background to generate a qr code link and return it to the front-end for display, and establish the ing between scenario value A and the user;
③ The user scans the QR code and clicks the follow public number (skip to ④ if the user has already followed );
④ Background receiving server push scenario value;
⑤ The background queries the corresponding user ID based on the scenario value A (dependent on the ing established in ② );
⑥ Establish the correspondence between user userid and user openid;
7. push the "binding successful" prompt to the client;
Notify the front-end page that the binding is complete. refresh the page and return some account information. Complete binding.

In section ②, "establish the ing between scenario value A and user". because the user has logged on, when the user clicks "bind account, we can assign A temporary scenario value in the background to the relationship between A and the user ID. For websites with a small number of users, you can directly use apc in php to cache and set an expiration time (the same as the temporary QR code expiration time ).

Because http does not have a push mechanism, the simplest method is to query by polling, check whether the binding has been completed, and refresh the page after the binding is completed.

After binding, when the user interacts with our public account, the corresponding userid can be found based on the openid to complete identity recognition. You can query orders for the orders mentioned above.

The entire binding process is not complicated, and implementation is not too difficult. The most important thing is the idea.

Scenario 2

Scenario 2: The operation is slightly complicated for users because it requires users to complete logon/registration on the client webpage. Therefore, if the registration process is too complex and cumbersome, it is not recommended.

Process:

The above binding process integrates the registration process, so it looks complicated. It is not very difficult to implement it. we will focus on security issues, because account binding involves user information security. consider two issues:

1. how to prevent links from being forged

The login/registration link must be generated by our own server and cannot be forged by others. You can refer to verify the validity of the server address. Therefore, a secure logon link can be as follows:

Http://api.hello1010.com/wechat/login.html? Openid = x1 & signature = x2 & timestamp = x3 & nonce = x4 & echostr & = x5

Signature verification code:

private function checkSignature(){    $signature = $_GET["signature"];    $timestamp = $_GET["timestamp"];    $nonce = $_GET["nonce"];        $token = TOKEN;    $tmpArr = array($token, $timestamp, $nonce);    sort($tmpArr, SORT_STRING);    $tmpStr = implode( $tmpArr );    $tmpStr = sha1( $tmpStr );    if( $tmpStr == $signature ){        return true;    }else{        return false;    }}

The token value can be the same as that in the background of your public account, or you can change the value. we recommend that you change the value to a security point.

2. how to ensure that openid is trusted

Consider this scenario: User A enters the logon page, copies the logon link to the browser, replaces the openid with the openid of user B, and uses the account and password of user A to log on. In this way, User A's userid and User B's openid are bound together, which is obviously insecure.

There are many solutions. for example, you can encrypt openid. when the encryption method is confidential, you cannot forge the encrypted openid. If you do not want to encrypt openid, you can establish the correspondence between openid and signature on the server side when generating the link. if you tamper with openid, the verification will fail.

Remember, never trust the information sent from the client.

Extended applications

After binding, we can make some simple applications. For example, the company needs to hold an offline road show, and this activity needs to be registered before it can participate, and it needs to sign in.

This is a typical O2O example that can be implemented. The process is as follows:

The "bind user subprocess" is the process in scenario 2. Registration interaction is not described here, and each business is different.

For a user who has already completed the binding, all he needs to do is sign up and scan the QR code to sign in. the experience is quite smooth.

If you have any questions, please contact me!

The above introduces the account binding, including some content, and hope to help friends who are interested in PHP tutorials.