How to stay logged in in php. Let’s talk about security in detail.

Now my website uses sessions, but once the browser is closed, the login status is gone, which is very inconvenient
How to use the [Stay logged in] function, and how to do cookie security in detail. It is best to explain it online. There is no specific plan, I hope someone with development experience can provide guidance

Reply content:

Now my website uses sessions, but once the browser is closed, the login status is gone, which is very inconvenient
How to use the [Stay logged in] function, and how to do cookie security in detail. It is best to explain it online. There is no specific plan, I hope someone with development experience can provide guidance

It should be noted that PHP sessions are also implemented using cookies. The cookie name saved in the browser defaults to PHPSESSID.
The cookie of this session can also set the expiration time. For example, the expiration time is set to 3600 seconds:
session_set_cookie_params( 3600);
This cookie will still be valid after closing the browser and reopening it within an hour.

PHP session is that each PHPSESSID corresponds to a file that saves session data by default.
That is to say, the session data of different PHPSESSIDs are not shared.
For example, if you use PHP session to implement a shopping cart or video viewing record function,
you Save the shopping cart data in the session file, then you will not be able to see your shopping cart data after logging in from other devices or browsers.
At this time, you should save the shopping cart data in the database.

Let’s talk about how to implement a customized cookie session mechanism based on the database:

The user ID (plain text) and user's salt value (hash) are stored in the cookie.
If high security is required, you can also use MCRYPT_BLOWFISH to encrypt the entire cookie content.
This cookie must be able to authenticate the user, And it must not be forged.
The user's salt value is randomly generated and determined to protect the password when the user registers, and is stored in a field data corresponding to the user in the user table.

<code>//保护用户密码的盐
$salt = sha1( uniqid(getmypid().'_'.mt_rand().'_', true) );

//用户的密码($pwd_user是用户输入的密码明文)
$pwd_db = sha1($salt.sha1($pwd_user));

//cookie里的盐
//其中$global_salt是配置里定义的全局盐,用来保护用户的盐,一旦修改,所有用户的cookie都将失效.
$cookie_salt = sha1($global_salt.sha1($salt));

//最终生成的cookie内容
$cookie = base64_encode($user_id.'|'.$cookie_salt);
//如果你需要高安全性,还可以使用MCRYPT_BLOWFISH对整个cookie的内容做一次加密.
$cookie = mcrypt_blowfish($cookie, $key);

//设置cookie,这里把过期时间设为3600秒(1小时)
setcookie($cookie_name, $cookie, time()+3600);</code>

The user's salt, the application global salt, and the MCRYPT_BLOWFISH encrypted key $key are all randomly generated and determined.
Algorithms such as:
sha1( uniqid(getmypid().'_'.mt_rand() .'_', true) )
generates a process ID + random number + a hash value based on the current time microseconds + entropy.

When verifying a user, first use the private key to decrypt $_COOKIE['cookie_name'],
Then base64_decode to get the user ID,
Then query the user's salt based on the user ID,
Then pass the salt through the same hash algorithm followed by the cookie Compare the salt $cookie_salt in
If they are consistent, the user’s cookie is determined to be valid.

<code>//解密cookie
$cookie = mdecrypt_blowfish($_COOKIE['cookie_name'], $key);

//分割后拿到里面的$user_id和$cookie_salt
$cookie = explode('|', base64_decode($_COOKIE['cookie_name']));</code>

1. Set the cookie validity period, for example, add one week to the current time, so that it will expire in one month even if you close the browser

2. The cookie content can be symmetrically encrypted for the userId. The backend first gets the ciphertext, then decrypts it, and finally logs in

Only operating cookies cannot solve the problem of session expiration. It is recommended to use a cache (it is indeed an addictive drug) and put the session in. You can set the expiration time as you like. When checking whether it is online, go directly to the cache to check;
It seems that php.ini can set the session storage medium.