WeChat account Binding

Original address: http://hello1010.com/bind-wechat/

The two-dimensional barcode/two-D code (2-dimensional bar code) is a black-and-white graph with a certain geometric pattern distributed in the plane (two-dimensional direction), which is used to record the information of data symbol, and skillfully utilize the "0", "1" which forms the logic basis of the computer. The concept of bitstream, using a number of geometric shapes corresponding to the binary to represent the text value information, through the image input device or photoelectric scanning device automatic reading to achieve automatic information processing

In recent years, the application of QR code is very extensive. The promotion and application of two-dimensional code can be said to be a duck, two-dimensional code to pay, two-dimensional code login, two-dimensional code card and so on. It can be said that QR code has become an important link in the online and offline connection. Pony brother also called "QR Code is a key entry under the line."

Now many websites have set up their own set of complete user account system, in the era of all people, is bound to consider the development and operation of the public number, not for the trend, only for the convenience of users, because the provision of a good solution, more importantly, with a benign and constantly improve the ecological chain.

When the user is concerned about the public number, there will be some interaction, the interaction process may need to obtain the user's identity information (corresponding to the site's account information), such as in the public number orders, inquiry orders and other operations. So here's the problem: for the same user, how do we establish a correspondence between the public number user (OpenID) and the website user (userid)? This process we call binding.

To simplify the discussion, I summed up two scenarios:

First, the user has registered to become our website user, but has not paid attention to our public number;
Second, the user is not registered, but has been concerned about our public number.

For both of these cases, the following are discussed separately.

Scene One

The user has registered as our website user, but has not yet paid attention to our public number. Here, users are required to log on to the site and then give a binding entry in the appropriate place, such as in personal settings. The binding process is as follows:

Two-dimensional code generation function is needed here: Generate two-dimensional code with parameters

On the QR code, the official document says:

There are currently 2 types of two-dimensional code, the temporary two-dimensional code and permanent Two-dimensional code, the former has an expiration time, the maximum is 1800 seconds, but can generate a large number, the latter no expiration time, the number is less (currently the parameter only supports 1--100000). Two kinds of QR codes are applicable to account binding, user source statistics and other scenarios respectively.

Obviously, we use the temporary QR code more appropriate. Each time the user refreshes the page, it can be generated once.

Since the QR code can carry the scene value (scene_id), when the user scans the QR code with the scene value, the server will push the scene value to our own server, after we get the scene value, we can do the verification and binding logic. Note: The service number required to generate the QR code requires authentication.

A complete binding process should look like this:

① User Login webpage, click "Bind Account";
② backstage uses the interface, generates the two-dimensional code link returns to the front-end display, and establishes the scene value A and the user's correspondence relation;
③ User scan QR code, and click attention to the public number (if already concerned, jump directly to ④);
④ background receive server push scene value A;
⑤ background According to the scene value A, query to the corresponding user ID (dependent on the corresponding relationship established in ②);
⑥ establish the correspondence between user UserID and user OpenID;
⑦ to the user's client push the "bind success" prompt;
⑧ notifies the foreground page that the binding is complete, refreshes the page, and returns some account information. Complete the binding.

Among them, ②, "establish the corresponding relationship between scene value A and the user", because the user is logged in, so when the user clicks on "Bind account", we can assign a temporary scene value A to the relationship between the user ID in the background. For sites with a small amount of users, you can use the APC in PHP directly to cache and set an expiration time (as long as the temporary QR Code expires).

⑧, because HTTP does not have a push mechanism, the simplest method is to poll for queries, whether the bindings have been completed, and then refresh the page after binding.

Once the binding is complete, the user interacts with our public number, and the corresponding userid can be found based on OpenID, which is the completion of the identification. For the previously mentioned order, query orders, can be achieved.

The whole binding process is not complex, and the implementation is not much technical difficulty, the most critical is the idea.

Scene Two

Scenario Two, the operation is slightly more complicated for the user because it requires the user to complete login/registration in the client's Web page. Therefore, if the registration process is too complex and cumbersome, not recommended to use.

Process:

The above binding process integrates the registration process, so it looks more complex. Implementation is not too difficult, we focus on security issues, because the binding account involves the user's information security, consider two issues:

1. How to prevent the link from being forged

The Login/Registration link needs to be guaranteed to be generated by our own server and cannot be forged by others. The validity of the authentication server address can be referenced. So a more secure login link can be:

http://api.hello1010.com/wechat/login.html?openid=x1&signature=x2&timestamp=x3&nonce=x4& Echostr&=x5

Verify the code for the signature:

private function checkSignature(){    $signature = $_GET["signature"];    $timestamp = $_GET["timestamp"];    $nonce = $_GET["nonce"];        $token = TOKEN;    $tmpArr = array($token, $timestamp, $nonce);    sort($tmpArr, SORT_STRING);    $tmpStr = implode( $tmpArr );    $tmpStr = sha1( $tmpStr );    if( $tmpStr == $signature ){        return true;    }else{        return false;    }}

The token value can be the same as the background of your public number, or you can change one, it is recommended to change a safe point.

2. How to ensure that OpenID is trustworthy

Consider this scenario: a user enters the login page, copies the login link to the browser, replaces OpenID with the B user's OpenID, and logs in with a user's account password. This binds the userid of a user to the OpenID of the B user, which is obviously unsafe.

There are many solutions, such as the ability to encrypt OpenID, and in the case of secret encryption, the user cannot forge the encrypted OpenID. If you do not want to encrypt the OpenID, you can build the link in the server side to establish the OpenID and signature signature relationship, if the user tampered with OpenID can not pass the checksum.

Remember, never trust the information that the client has sent over.

Extend your App

Once the bindings are complete, we can do some simple applications. For example, the company needs to host an offline roadshow that requires registration to participate and is required to sign in.

This is a typical example of an instance that can be implemented. The process is as follows:

Where "bound user sub-process" is the process in scenario two. The interaction of registration is no longer described here, and each business is different.

For a user who has completed the binding, he participates in an activity that needs to be done by registering, and then scanning the QR code to sign in, and the experience is quite smooth.

If you have any questions, please contact me!

The above describes the account binding, including aspects of the content, I hope that the PHP tutorial interested in a friend helpful.

