About the implementation of login function in PHP's Yii framework

This article mainly introduces the detailed interpretation of the implementation of the login function in the Yii framework of PHP, including the function of automatic login through cookies. Friends in need can refer to

Yii's login mechanism

Yii already provides the most basic user login mechanism when generating applications. We use Yii to generate a new application, enter the protected/components directory, we can see the UserIdentity.php file, there is only one public function in the UserIdentity class as follows:

public function authenticate() 
{ 
  $users=array( 
    // username => password 
    'demo'=>'demo', 
    'admin'=>'admin', 
  ); 
  if(!isset($users[$this->username])) 
    $this->errorCode=self::ERROR_USERNAME_INVALID; 
  elseif($users[$this->username]!==$this->password) 
    $this->errorCode=self::ERROR_PASSWORD_INVALID; 
  else 
    $this->errorCode=self::ERROR_NONE; 
  return !$this->errorCode; 
}

This class is in components and will be loaded at the beginning of the application. It is used for the most basic user verification. You can see that the function simply defines two users demo and admin, and the password is only demo and admin. If your users are very limited, you can directly modify and add users here. If there are more, we will talk about it later. The if else below the function is used to check whether the user name and password are valid. When an error occurs, ERROR_USERNAME_INVALID and ERROR_PASSWORD_INVALID are generated. In general, real username and password verification is carried out here, and basic logical processing after login is performed.
You can’t see the login control process just by looking at this class. Following the principles of Model/Control/View, we can see the login process reflected in these three aspects. First enter the Models folder, and you can see a LoginForm class file. This class inherits CFormModel and is a derived class of the form model that encapsulates login data and business logic. The core functions are as follows:

/** 
 * Authenticates the password. 
 * This is the 'authenticate' validator as declared in rules(). 
 */ 
public function authenticate($attribute,$params) 
{ 
  $this->_identity=new UserIdentity($this->username,$this->password); 
  if(!$this->_identity->authenticate()) 
    $this->addError('password','用户名或密码错误'); 
} 
 
/** 
 * Logs in the user using the given username and password in the model. 
 * @return boolean whether login is successful 
 */ 
public function login() 
{ 
  if($this->_identity===null) 
  { 
    $this->_identity=new UserIdentity($this->username,$this->password); 
    $this->_identity->authenticate(); 
  } 
  if($this->_identity->errorCode===UserIdentity::ERROR_NONE) 
  { 
    $duration=$this->rememberMe ? 3600*24*30 : 0; // 30 days 
    Yii::app()->user->login($this->_identity,$duration); 
    return true; 
  } 
  else 
    return false; 
}

The authenticate here uses the UserIdentity class to verify the username and password, and the login function detects whether the user's identity has been Check whether the settings and error code are empty, and finally use the login function provided by Yii to log in. $duration can set the validity period of the identity.
Looking at Control again, there is an action in siteControler about login, which is actionLogin. The function is as follows:

/** 
 * Displays the login page 
 */ 
public function actionLogin() 
{ 
  if (!defined('CRYPT_BLOWFISH')||!CRYPT_BLOWFISH) 
    throw new CHttpException(500,"This application requires that PHP was compiled with Blowfish support for crypt()."); 
 
  $model=new LoginForm; 
 
  // if it is ajax validation request 
  if(isset($_POST['ajax']) && $_POST['ajax']==='login-form') 
  { 
    echo CActiveForm::validate($model); 
    Yii::app()->end(); 
  } 
 
  // collect user input data 
  if(isset($_POST['LoginForm'])) 
  { 
    $model->attributes=$_POST['LoginForm']; 
    // validate user input and redirect to the previous page if valid 
    if($model->validate() && $model->login()) 
      $this->redirect(Yii::app()->user->returnUrl); 
  } 
  // display the login form 
  $this->render('login',array('model'=>$model)); 
}

The login action It is based on LoginForm to verify the POST form to log in or render a new login page.

Finally, the view file is login.php in the site folder. This is the login interface you see.

Sorting it out, we can clearly see Yii's user login logic processing. After you enter the username and password on the login interface, the form POSTs the data to site/login, and login instantiates a LoginForm. Form model, and perform login detection based on the validate function and login function in the model. Validate will verify the form data according to the rules of the rule. The verification of password requires the authenticate function, and the verification of the authenticate and login functions are both based on the authenticate function of UserIdentity. Therefore, if we change the login logic, LgoinForm and loginaction do not need to be modified, and it is basically sufficient to directly change the authenticate function of UserIdentity.

The above analysis is the logic processing code for user login automatically generated by Yii. It looks pretty good, doesn’t it? However, our system generally needs to support access by many users. It is obviously irrational to simply list user names and passwords in the code. Of course, it is more mature to ask the database to help us manage it. Suppose we create an admin table in our own database according to the following Mysql statement:

drop table if exists `admin`; 
create table `admin` ( 
  `admin_id` int unsigned not null auto_increment comment '主键', 
  `username` varchar(32) not null comment '登录名', 
  `psw` char(40) not null comment '登录密码（两次sha1）', 
  `nick` varchar(64) not null comment '昵称', 
  `add_time` datetime not null comment '创建时间', 
  `login_time` datetime null comment '最近登录时间', 
  unique key(`username`), 
  primary key (`admin_id`) 
) engine=innodb default charset=utf8 comment='管理员表';

After the Mysql table creation is completed, we use gii to generate the admin Model , then we can go back to UserIdentity.php in our original Component and rewrite the authenticate function to implement our own username and password verification. For security reasons, the password is encrypted with sha1 twice, so the collected password is encrypted with sha1 twice, and then in the Admin we created, we find whether there is a user corresponding to the username entered in the form, and then compare the encrypted password. If After everything passes, the user's common information can be set to the user field of Yii's user using the setState function, such as $this->setState('nick', $user->nick); After this sentence, you can directly Use Yii:app()->user->nick to access the nickname of the currently logged in user without querying the database. And $user->login_time = date('Y-m-d H:i:s'); updates the user login time and saves it to the database through save in the next sentence.

public function authenticate() 
{ 
  if(strlen($this->password) > 0) 
    $this->password = sha1(sha1($this->password)); 
  $user = Admin::model()->findByAttributes(array('username' => $this->username)); 
  if($user == null) 
    $this->errorCode=self::ERROR_USERNAME_INVALID; 
  elseif( !($user instanceof Admin) || ($user->psw != $this->password) ) 
    $this->errorCode=self::ERROR_PASSWORD_INVALID; 
  else 
  { 
    $this->setState('admin_id', $user->admin_id); 
    $this->setState('nick', $user->nick); 
    $this->setState('username', $user->username); 
    $user->login_time = date('Y-m-d H:i:s'); 
    $user->save(); 
    $this->errorCode=self::ERROR_NONE; 
  } 
  return !$this->errorCode; 
}

And if you want to modify the login interface, then enter login.php in the site folder in the view, and toss around to make it become The way you want it, so that our own login process is completed. Isn’t it extremely convenient to have Yii~

设置自动登陆
自动登录的原理很简单。主要就是利用cookie来实现的
在第一次登录的时候，如果登录成功并且选中了下次自动登录，那么就会把用户的认证信息保存到cookie中，cookie的有效期为1年或者几个月。

在下次登录的时候先判断cookie中是否存储了用户的信息，如果有则用cookie中存储的用户信息来登录，

配置User组件

首先在配置文件的components中设置user组件

    'user' => [
      'identityClass' => 'app\models\User',
      'enableAutoLogin' => true,
    ],

我们看到enableAutoLogin就是用来判断是否要启用自动登录功能，这个和界面上的下次自动登录无关。
只有在enableAutoLogin为true的情况下，如果选择了下次自动登录，那么就会把用户信息存储起来放到cookie中并设置cookie的有效期为3600*24*30秒，以用于下次登录

现在我们来看看Yii中是怎样实现的。

一、第一次登录存cookie

1、login 登录功能

  public function login($identity, $duration = 0)
  {
    if ($this->beforeLogin($identity, false, $duration)) {
      $this->switchIdentity($identity, $duration);
      $id = $identity->getId();
      $ip = Yii::$app->getRequest()->getUserIP();
      Yii::info("User '$id' logged in from $ip with duration $duration.", __METHOD__);
      $this->afterLogin($identity, false, $duration);
    }

    return !$this->getIsGuest();
  }

在这里，就是简单的登录，然后执行switchIdentity方法，设置认证信息。

2、switchIdentity设置认证信息

  public function switchIdentity($identity, $duration = 0)
  {
    $session = Yii::$app->getSession();
    if (!YII_ENV_TEST) {
      $session->regenerateID(true);
    }
    $this->setIdentity($identity);
    $session->remove($this->idParam);
    $session->remove($this->authTimeoutParam);
    if ($identity instanceof IdentityInterface) {
      $session->set($this->idParam, $identity->getId());
      if ($this->authTimeout !== null) {
        $session->set($this->authTimeoutParam, time() + $this->authTimeout);
      }
      if ($duration > 0 && $this->enableAutoLogin) {
        $this->sendIdentityCookie($identity, $duration);
      }
    } elseif ($this->enableAutoLogin) {
      Yii::$app->getResponse()->getCookies()->remove(new Cookie($this->identityCookie));
    }
  }

这个方法比较重要，在退出的时候也需要调用这个方法。

这个方法主要有三个功能
设置session的有效期
如果cookie的有效期大于0并且允许自动登录，那么就把用户的认证信息保存到cookie中
如果允许自动登录，删除cookie信息。这个是用于退出的时候调用的。退出的时候传递进来的$identity为null

  protected function sendIdentityCookie($identity, $duration)
  {
    $cookie = new Cookie($this->identityCookie);
    $cookie->value = json_encode([
      $identity->getId(),
      $identity->getAuthKey(),
      $duration,
    ]);
    $cookie->expire = time() + $duration;
    Yii::$app->getResponse()->getCookies()->add($cookie);
  }

存储在cookie中的用户信息包含有三个值：

1. $identity->getId()

2. $identity->getAuthKey()

3. $duration

getId()和getAuthKey()是在IdentityInterface接口中的。我们也知道在设置User组件的时候，这个User Model是必须要实现IdentityInterface接口的。所以，可以在User Model中得到前两个值，第三值就是cookie的有效期。

二、自动从cookie登录

从上面我们知道用户的认证信息已经存储到cookie中了，那么下次的时候直接从cookie里面取信息然后设置就可以了。

1、AccessControl用户访问控制

Yii提供了AccessControl来判断用户是否登录，有了这个就不需要在每一个action里面再判断了 

 public function behaviors()
  {
    return [
      'access' => [
        'class' => AccessControl::className(),
        'only' => ['logout'],
        'rules' => [
          [
            'actions' => ['logout'],
            'allow' => true,
            'roles' => ['@'],
          ],
        ],
      ],
    ];
  }

2、getIsGuest、getIdentity判断是否认证用户

isGuest是自动登录过程中最重要的属性。
在上面的AccessControl访问控制里面通过IsGuest属性来判断是否是认证用户，然后在getIsGuest方法里面是调用getIdentity来获取用户信息，如果不为空就说明是认证用户，否则就是游客（未登录）。

 public function getIsGuest($checkSession = true)
  {
    return $this->getIdentity($checkSession) === null;
  }
  public function getIdentity($checkSession = true)
  {
    if ($this->_identity === false) {
      if ($checkSession) {
        $this->renewAuthStatus();
      } else {
        return null;
      }
    }

    return $this->_identity;
  }

3、renewAuthStatus 重新生成用户认证信息

 protected function renewAuthStatus()
  {
    $session = Yii::$app->getSession();
    $id = $session->getHasSessionId() || $session->getIsActive() ? $session->get($this->idParam) : null;

    if ($id === null) {
      $identity = null;
    } else {
      /** @var IdentityInterface $class */
      $class = $this->identityClass;
      $identity = $class::findIdentity($id);
    }

    $this->setIdentity($identity);

    if ($this->authTimeout !== null && $identity !== null) {
      $expire = $session->get($this->authTimeoutParam);
      if ($expire !== null && $expire < time()) {
        $this->logout(false);
      } else {
        $session->set($this->authTimeoutParam, time() + $this->authTimeout);
      }
    }

    if ($this->enableAutoLogin) {
      if ($this->getIsGuest()) {
        $this->loginByCookie();
      } elseif ($this->autoRenewCookie) {
        $this->renewIdentityCookie();
      }
    }
  }

这一部分先通过session来判断用户，因为用户登录后就已经存在于session中了。然后再判断如果是自动登录，那么就通过cookie信息来登录。

4、通过保存的Cookie信息来登录 loginByCookie

 protected function loginByCookie()
  {
    $name = $this->identityCookie['name'];
    $value = Yii::$app->getRequest()->getCookies()->getValue($name);
    if ($value !== null) {
      $data = json_decode($value, true);
      if (count($data) === 3 && isset($data[0], $data[1], $data[2])) {
        list ($id, $authKey, $duration) = $data;
        /** @var IdentityInterface $class */
        $class = $this->identityClass;
        $identity = $class::findIdentity($id);
        if ($identity !== null && $identity->validateAuthKey($authKey)) {
          if ($this->beforeLogin($identity, true, $duration)) {
            $this->switchIdentity($identity, $this->autoRenewCookie ? $duration : 0);
            $ip = Yii::$app->getRequest()->getUserIP();
            Yii::info("User '$id' logged in from $ip via cookie.", __METHOD__);
            $this->afterLogin($identity, true, $duration);
          }
        } elseif ($identity !== null) {
          Yii::warning("Invalid auth key attempted for user '$id': $authKey", __METHOD__);
        }
      }
    }
  }

先读取cookie值，然后$data = json_decode($value, true);反序列化为数组。

这个从上面的代码可以知道要想实现自动登录，这三个值都必须有值。另外，在User Model中还必须要实现findIdentity、validateAuthKey这两个方法。

登录完成后，还可以再重新设置cookie的有效期，这样便能一起有效下去了。

 $this->switchIdentity($identity, $this->autoRenewCookie ? $duration : 0);

三、退出 logout

 public function logout($destroySession = true)
  {
    $identity = $this->getIdentity();
    if ($identity !== null && $this->beforeLogout($identity)) {
      $this->switchIdentity(null);
      $id = $identity->getId();
      $ip = Yii::$app->getRequest()->getUserIP();
      Yii::info("User '$id' logged out from $ip.", __METHOD__);
      if ($destroySession) {
        Yii::$app->getSession()->destroy();
      }
      $this->afterLogout($identity);
    }

    return $this->getIsGuest();
  }


  public function switchIdentity($identity, $duration = 0)
  {
    $session = Yii::$app->getSession();
    if (!YII_ENV_TEST) {
      $session->regenerateID(true);
    }
    $this->setIdentity($identity);
    $session->remove($this->idParam);
    $session->remove($this->authTimeoutParam);
    if ($identity instanceof IdentityInterface) {
      $session->set($this->idParam, $identity->getId());
      if ($this->authTimeout !== null) {
        $session->set($this->authTimeoutParam, time() + $this->authTimeout);
      }
      if ($duration > 0 && $this->enableAutoLogin) {
        $this->sendIdentityCookie($identity, $duration);
      }
    } elseif ($this->enableAutoLogin) {
      Yii::$app->getResponse()->getCookies()->remove(new Cookie($this->identityCookie));
    }
  }

退出的时候先把当前的认证设置为null，然后再判断如果是自动登录功能则再删除相关的cookie信息。

以上就是本文的全部内容，希望对大家的学习有所帮助，更多相关内容请关注PHP中文网！

相关推荐：

如何实现修改yii2.0用户登录使用的user表为其它的表

关于php向访客和爬虫显示不同的内容代码

The above is the detailed content of About the implementation of login function in PHP's Yii framework. For more information, please follow other related articles on the PHP Chinese website!