WeChat account binding

Original address: http://hello1010.com/bind-wechat/

Two-dimensional bar code/QR code (2-dimensional bar code) is a specific geometric figure that is printed on a plane ( Black and white graphics distributed in a two-dimensional direction record data symbol information; in coding, the concepts of "0" and "1" bit streams that form the basis of the computer's internal logic are cleverly used, and several binary numbers are used. Geometric shapes represent text numerical information, and are automatically read through image input devices or photoelectric scanning devices to achieve automatic information processing

In recent years, QR codes have been particularly widely used. WeChat’s promotion and application of QR codes can be said to be like a duck in water, including WeChat QR code payment, WeChat QR code login, WeChat QR code business cards, etc. It can be said that QR codes have become an important link between online and offline in O2O. Brother Xiao Ma also said that "QR code is a key entry point online and offline."

Now many websites have established their own complete user account system. In the era of WeChat for all, it is necessary to consider developing and operating WeChat public accounts, not to follow the trend, but to facilitate users, because WeChat provides O2O A good solution, and more importantly, WeChat has a benign and constantly improving ecological chain.

When a user follows a WeChat official account, there will be some interactions. During the interaction, it may be necessary to obtain the user's identity information (corresponding to the account information on the website), such as placing an order in the official account, querying the order, etc. So now the question comes: For the same user, how do we establish the corresponding relationship between the WeChat official account user (openid) and the website user (userid). This process is called binding.

To simplify the discussion, I summarized the following two scenarios:

1. The user has registered as our website user, but has not yet followed our WeChat public Number;
2. The user has not registered, but has followed our WeChat official account.

For the above two situations, we will discuss them separately below.

Scenario 1

The user has registered as our website user, but has not yet followed our WeChat official account. Here, the user needs to log in first on the website, and then provide a binding entry in an appropriate place, such as in personal settings. The binding process is as follows:

You need to use WeChat’s QR code generation function here: Generate a QR code with parameters

About WeChat QR code, the official document says this :

There are currently two types of QR codes, namely temporary QR codes and permanent QR codes. The former has an expiration time, up to 1800 seconds, but can generate a larger number, and the latter has no expiration time. , the number is small (currently the parameters only support 1--100000). The two QR codes are respectively suitable for account binding, user source statistics and other scenarios.

Obviously, it is more appropriate for us to use temporary QR codes. This can be generated every time the user refreshes the page.

Since the QR code can contain the scene value (scene_id), when the user scans the QR code with the scene value, the WeChat server will push the scene value to our own server. After we get the scene value , you can do verification and binding logic. Note: Generating a QR code requires a certified service number.

A complete binding process should be like this:

①The user logs in to the webpage and clicks "Bind WeChat Account";
②Use the WeChat interface in the background to generate a QR code link and return it to the front-end display , and establish the corresponding relationship between scene value A and the user;
③The user scans the QR code and clicks to follow the WeChat public account (if you have already followed it, jump directly to ④);
④The background receives the scene value A pushed by the WeChat server;
⑤The background queries the corresponding user ID based on the scene value A (depending on the corresponding relationship established in ②);
⑥Establish the corresponding relationship between the user userid and the WeChat user openid;
⑦Push "Binding successful" to the user's WeChat client " prompt;
⑧ Notify the front page that the binding has been completed, refresh the page, and return some WeChat account information. Complete binding.

Among them, in ②, "Establish the corresponding relationship between scene value A and the user", because the user is already logged in, so when the user clicks "Bind WeChat account", we can assign a temporary scene value A in the background The relationship with the user ID. For websites with a small number of users, you can directly use apc in php to cache and set an expiration time (same as the expiration time of the temporary QR code).

In

⑧, since http does not have a push mechanism, the simplest method is to poll to check whether the binding has been completed, and then refresh the page after the binding is completed.

After the binding is completed, when the user interacts with our WeChat official account, the corresponding userid can be found based on the openid, which completes the identity recognition. The previously mentioned order placement and order inquiry are all achievable.

The entire binding process is not complicated, and there is not much technical difficulty in implementing it. The most important thing is the idea.

Scenario 2

Scenario 2, the operation is slightly complicated for the user because it requires the user to complete the login/registration on the WeChat client web page. Therefore, if the registration process is too complicated and cumbersome, it is not recommended to use it.

Process:

The above binding process integrates the registration process, so it looks more complicated. It’s not too difficult to implement. Let’s focus on security issues, because binding accounts involves user information security. Consider two issues:

1. How to prevent links from being forged

The login/registration link needs to be generated by our own server and cannot be forged by others. You can refer to WeChat's verification server address for validity. So a relatively secure login link can be like this:

http://api.hello1010.com/wechat/login.html?openid=x1&signature=x2×tamp=x3&nonce=x4&echostr&=x5

Verify signature Code:

<code><span>private function checkSignature()
{
    $signature = $_GET["signature"];
    $timestamp = $_GET["timestamp"];
    $nonce = $_GET["nonce"];    

    $token = TOKEN;
    $tmpArr = array($token, $timestamp, $nonce);
    sort($tmpArr, SORT_STRING);
    $tmpStr = implode( $tmpArr );
    $tmpStr = sha1( $tmpStr );
    if( $tmpStr == $signature ){
        return true;
    }else{
        return false;
    }
}
</span></code>

The token value can be the same as the one in the backend of your WeChat official account, or you can change it. It is recommended to change it to a safer one.

2. How to ensure that openid is trustworthy

Consider this scenario: User A enters the login page, copies the login link to the browser, replaces openid with user B’s openid, and uses user A’s account and password Log in. This binds user A's userid and user B's openid together, which is obviously unsafe.

There are many solutions, such as encrypting openid. When the encryption method is kept confidential, users cannot forge the encrypted openid. If you do not want to encrypt the openid, you can establish the corresponding relationship between the openid and the signature on the server side when generating the link. If the user tampered with the openid, the verification will not pass.

Remember, never trust the information sent by the client.

Extended Application

After completing the binding, we can make some simple applications. For example, the company needs to hold an offline roadshow event, which requires registration and sign-in to participate.

This is a typical O2O example that can be implemented using WeChat. The process is as follows:

Among them, the "binding user sub-process" is the process in scenario two. The interaction of registration will not be described here, as each business is different.

For a user who has completed binding, all he needs to do to participate in an event is to register through WeChat and then scan the QR code to sign in. The experience is quite smooth.

If you have any questions, please feel free to communicate with me!

The above introduces WeChat account binding, including the relevant aspects. I hope it will be helpful to friends who are interested in PHP tutorials.