Home > Article > Backend Development > Detailed interpretation of the implementation of the login function in PHP's Yii framework, yii framework_PHP tutorial
Yii's login mechanism
Yii already provides the most basic user login mechanism when generating applications. We use Yii to generate a new application and enter the protected/components directory. We can see the UserIdentity.php file. There is only one public function in the UserIdentity class as follows:
public function authenticate() { $users=array( // username => password 'demo'=>'demo', 'admin'=>'admin', ); if(!isset($users[$this->username])) $this->errorCode=self::ERROR_USERNAME_INVALID; elseif($users[$this->username]!==$this->password) $this->errorCode=self::ERROR_PASSWORD_INVALID; else $this->errorCode=self::ERROR_NONE; return !$this->errorCode; }
This class is in components and will be loaded at the beginning of the application. It is used for the most basic user verification. You can see that the function simply defines two users demo and admin at the beginning, and the password It's just demo and admin. If your users are very limited, you can just modify and add users here. If there are more, we will talk about it later. The if else below the function is used to check whether the user name and password are valid. When an error occurs, ERROR_USERNAME_INVALID and ERROR_PASSWORD_INVALID are generated. In general, real username and password verification is carried out here, and basic logical processing after login is performed.
You can’t see the login control process just by looking at this class. Following the principles of Model/Control/View, we can see the login process reflected in these three aspects. First enter the Models folder, and you can see a LoginForm class file. This class inherits CFormModel and is a derived class of the form model that encapsulates login data and business logic. The core comparison functions are as follows:
/** * Authenticates the password. * This is the 'authenticate' validator as declared in rules(). */ public function authenticate($attribute,$params) { $this->_identity=new UserIdentity($this->username,$this->password); if(!$this->_identity->authenticate()) $this->addError('password','用户名或密码错误'); } /** * Logs in the user using the given username and password in the model. * @return boolean whether login is successful */ public function login() { if($this->_identity===null) { $this->_identity=new UserIdentity($this->username,$this->password); $this->_identity->authenticate(); } if($this->_identity->errorCode===UserIdentity::ERROR_NONE) { $duration=$this->rememberMe ? 3600*24*30 : 0; // 30 days Yii::app()->user->login($this->_identity,$duration); return true; } else return false; }
The authenticate here uses the UserIdentity class to verify the username and password, and the login function checks whether the user identity has been set and whether the error code is empty, and finally uses the login function provided by Yii to log in. $duration can set the validity period of the identity.
Looking at Control again, there is an action in siteControler that is related to login, which is actionLogin. The function is as follows:
/** * Displays the login page */ public function actionLogin() { if (!defined('CRYPT_BLOWFISH')||!CRYPT_BLOWFISH) throw new CHttpException(500,"This application requires that PHP was compiled with Blowfish support for crypt()."); $model=new LoginForm; // if it is ajax validation request if(isset($_POST['ajax']) && $_POST['ajax']==='login-form') { echo CActiveForm::validate($model); Yii::app()->end(); } // collect user input data if(isset($_POST['LoginForm'])) { $model->attributes=$_POST['LoginForm']; // validate user input and redirect to the previous page if valid if($model->validate() && $model->login()) $this->redirect(Yii::app()->user->returnUrl); } // display the login form $this->render('login',array('model'=>$model)); }
The login action is based on LoginForm to verify the POST form to log in or render a new login page.
Finally, the view file is login.php in the site folder. This is the login interface you see.
Sorting it out, we can clearly see Yii's user login logic processing. After you enter the username and password on the login interface, the form POSTs the data to site/login. Loign instantiates a LoginForm form model. And perform login detection based on the validate function and login function in the model. Validate will verify the form data according to the rules of the rule. The verification of password requires the authenticate function, and the verification of the authenticate and login functions are both based on the authenticate function of UserIdentity. Therefore, if we change the login logic, LgoinForm and loginaction do not need to be modified, and it is basically sufficient to directly change the authenticate function of UserIdentity.
The above analysis is the logic processing code for user login automatically generated by Yii. It looks pretty good, doesn’t it? However, our system generally needs to support access by many users. It is obviously irrational to simply list user names and passwords in the code. Of course, it is more mature to ask the database to help us manage it. Suppose we create an admin table in our own database according to the following Mysql statement:
drop table if exists `admin`; create table `admin` ( `admin_id` int unsigned not null auto_increment comment '主键', `username` varchar(32) not null comment '登录名', `psw` char(40) not null comment '登录密码(两次sha1)', `nick` varchar(64) not null comment '昵称', `add_time` datetime not null comment '创建时间', `login_time` datetime null comment '最近登录时间', unique key(`username`), primary key (`admin_id`) ) engine=innodb default charset=utf8 comment='管理员表';
After the Mysql table creation is completed, we use gii to generate the admin Model. Then we can go back to UserIdentity.php in our original Component and rewrite the authenticate function to implement our own username and password verification. For security reasons, the password is encrypted with sha1 twice, so the collected password is encrypted with sha1 twice, and then in the Admin we created, we find whether there is a user corresponding to the username entered in the form, and then compare the encrypted password. If After everything passes, the user's common information can be set to the user field of Yii's user using the setState function, such as $this->setState('nick', $user->nick); After this sentence, you can directly Use Yii:app()->user->nick to access the nickname of the currently logged in user without querying the database. And $user->login_time = date('Y-m-d H:i:s'); updates the user login time and saves it to the database through save in the next sentence.
public function authenticate() { if(strlen($this->password) > 0) $this->password = sha1(sha1($this->password)); $user = Admin::model()->findByAttributes(array('username' => $this->username)); if($user == null) $this->errorCode=self::ERROR_USERNAME_INVALID; elseif( !($user instanceof Admin) || ($user->psw != $this->password) ) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->setState('admin_id', $user->admin_id); $this->setState('nick', $user->nick); $this->setState('username', $user->username); $user->login_time = date('Y-m-d H:i:s'); $user->save(); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }
And if you want to modify the login interface, then enter login.php in the site folder inside the view, and play around with it to make it what you want. In this way, our own login process is completed. Isn’t it extremely convenient to have Yii~
Set up automatic login
The principle of automatic login is very simple. Mainly achieved by using cookies
When logging in for the first time, if the login is successful and automatic login next time is selected, the user's authentication information will be saved in a cookie, and the cookie is valid for one year or several months.
When logging in next time, first determine whether the user's information is stored in the cookie. If so, use the user information stored in the cookie to log in,
配置User组件
首先在配置文件的components中设置user组件
'user' => [ 'identityClass' => 'app\models\User', 'enableAutoLogin' => true, ],
我们看到enableAutoLogin就是用来判断是否要启用自动登录功能,这个和界面上的下次自动登录无关。
只有在enableAutoLogin为true的情况下,如果选择了下次自动登录,那么就会把用户信息存储起来放到cookie中并设置cookie的有效期为3600*24*30秒,以用于下次登录
现在我们来看看Yii中是怎样实现的。
一、第一次登录存cookie
1、login 登录功能
public function login($identity, $duration = 0) { if ($this->beforeLogin($identity, false, $duration)) { $this->switchIdentity($identity, $duration); $id = $identity->getId(); $ip = Yii::$app->getRequest()->getUserIP(); Yii::info("User '$id' logged in from $ip with duration $duration.", __METHOD__); $this->afterLogin($identity, false, $duration); } return !$this->getIsGuest(); }
在这里,就是简单的登录,然后执行switchIdentity方法,设置认证信息。
2、switchIdentity设置认证信息
public function switchIdentity($identity, $duration = 0) { $session = Yii::$app->getSession(); if (!YII_ENV_TEST) { $session->regenerateID(true); } $this->setIdentity($identity); $session->remove($this->idParam); $session->remove($this->authTimeoutParam); if ($identity instanceof IdentityInterface) { $session->set($this->idParam, $identity->getId()); if ($this->authTimeout !== null) { $session->set($this->authTimeoutParam, time() + $this->authTimeout); } if ($duration > 0 && $this->enableAutoLogin) { $this->sendIdentityCookie($identity, $duration); } } elseif ($this->enableAutoLogin) { Yii::$app->getResponse()->getCookies()->remove(new Cookie($this->identityCookie)); } }
这个方法比较重要,在退出的时候也需要调用这个方法。
这个方法主要有三个功能
设置session的有效期
如果cookie的有效期大于0并且允许自动登录,那么就把用户的认证信息保存到cookie中
如果允许自动登录,删除cookie信息。这个是用于退出的时候调用的。退出的时候传递进来的$identity为null
protected function sendIdentityCookie($identity, $duration) { $cookie = new Cookie($this->identityCookie); $cookie->value = json_encode([ $identity->getId(), $identity->getAuthKey(), $duration, ]); $cookie->expire = time() + $duration; Yii::$app->getResponse()->getCookies()->add($cookie); }
存储在cookie中的用户信息包含有三个值:
getId()和getAuthKey()是在IdentityInterface接口中的。我们也知道在设置User组件的时候,这个User Model是必须要实现IdentityInterface接口的。所以,可以在User Model中得到前两个值,第三值就是cookie的有效期。
二、自动从cookie登录
从上面我们知道用户的认证信息已经存储到cookie中了,那么下次的时候直接从cookie里面取信息然后设置就可以了。
1、AccessControl用户访问控制
Yii提供了AccessControl来判断用户是否登录,有了这个就不需要在每一个action里面再判断了
public function behaviors() { return [ 'access' => [ 'class' => AccessControl::className(), 'only' => ['logout'], 'rules' => [ [ 'actions' => ['logout'], 'allow' => true, 'roles' => ['@'], ], ], ], ]; }
2、getIsGuest、getIdentity判断是否认证用户
isGuest是自动登录过程中最重要的属性。
在上面的AccessControl访问控制里面通过IsGuest属性来判断是否是认证用户,然后在getIsGuest方法里面是调用getIdentity来获取用户信息,如果不为空就说明是认证用户,否则就是游客(未登录)。
public function getIsGuest($checkSession = true) { return $this->getIdentity($checkSession) === null; } public function getIdentity($checkSession = true) { if ($this->_identity === false) { if ($checkSession) { $this->renewAuthStatus(); } else { return null; } } return $this->_identity; }
3、renewAuthStatus 重新生成用户认证信息
protected function renewAuthStatus() { $session = Yii::$app->getSession(); $id = $session->getHasSessionId() || $session->getIsActive() ? $session->get($this->idParam) : null; if ($id === null) { $identity = null; } else { /** @var IdentityInterface $class */ $class = $this->identityClass; $identity = $class::findIdentity($id); } $this->setIdentity($identity); if ($this->authTimeout !== null && $identity !== null) { $expire = $session->get($this->authTimeoutParam); if ($expire !== null && $expire < time()) { $this->logout(false); } else { $session->set($this->authTimeoutParam, time() + $this->authTimeout); } } if ($this->enableAutoLogin) { if ($this->getIsGuest()) { $this->loginByCookie(); } elseif ($this->autoRenewCookie) { $this->renewIdentityCookie(); } } }
这一部分先通过session来判断用户,因为用户登录后就已经存在于session中了。然后再判断如果是自动登录,那么就通过cookie信息来登录。
4、通过保存的Cookie信息来登录 loginByCookie
protected function loginByCookie() { $name = $this->identityCookie['name']; $value = Yii::$app->getRequest()->getCookies()->getValue($name); if ($value !== null) { $data = json_decode($value, true); if (count($data) === 3 && isset($data[0], $data[1], $data[2])) { list ($id, $authKey, $duration) = $data; /** @var IdentityInterface $class */ $class = $this->identityClass; $identity = $class::findIdentity($id); if ($identity !== null && $identity->validateAuthKey($authKey)) { if ($this->beforeLogin($identity, true, $duration)) { $this->switchIdentity($identity, $this->autoRenewCookie ? $duration : 0); $ip = Yii::$app->getRequest()->getUserIP(); Yii::info("User '$id' logged in from $ip via cookie.", __METHOD__); $this->afterLogin($identity, true, $duration); } } elseif ($identity !== null) { Yii::warning("Invalid auth key attempted for user '$id': $authKey", __METHOD__); } } } }
先读取cookie值,然后$data = json_decode($value, true);反序列化为数组。
这个从上面的代码可以知道要想实现自动登录,这三个值都必须有值。另外,在User Model中还必须要实现findIdentity、validateAuthKey这两个方法。
登录完成后,还可以再重新设置cookie的有效期,这样便能一起有效下去了。
$this->switchIdentity($identity, $this->autoRenewCookie ? $duration : 0);
三、退出 logout
public function logout($destroySession = true) { $identity = $this->getIdentity(); if ($identity !== null && $this->beforeLogout($identity)) { $this->switchIdentity(null); $id = $identity->getId(); $ip = Yii::$app->getRequest()->getUserIP(); Yii::info("User '$id' logged out from $ip.", __METHOD__); if ($destroySession) { Yii::$app->getSession()->destroy(); } $this->afterLogout($identity); } return $this->getIsGuest(); } public function switchIdentity($identity, $duration = 0) { $session = Yii::$app->getSession(); if (!YII_ENV_TEST) { $session->regenerateID(true); } $this->setIdentity($identity); $session->remove($this->idParam); $session->remove($this->authTimeoutParam); if ($identity instanceof IdentityInterface) { $session->set($this->idParam, $identity->getId()); if ($this->authTimeout !== null) { $session->set($this->authTimeoutParam, time() + $this->authTimeout); } if ($duration > 0 && $this->enableAutoLogin) { $this->sendIdentityCookie($identity, $duration); } } elseif ($this->enableAutoLogin) { Yii::$app->getResponse()->getCookies()->remove(new Cookie($this->identityCookie)); } }
退出的时候先把当前的认证设置为null,然后再判断如果是自动登录功能则再删除相关的cookie信息。