The hidden dangers of the "remember password" function

In this way, you can log in on all devices and clients, and multiple users can log in at the same time. This is not very safe. Here are some safer methods for your reference:

1 In the cookie, save three things - username, login sequence, login token.

a) Username: stored in clear text.
b) Login sequence: a random number hashed by MD5, updated only when the user is forced to enter a password (for example: the user changes the password).
c) Login token: A random number that has been hashed by MD5. It is only valid within one login session. A new login session will update it.

2 The above three things will be stored on the server. The authenticated user of the server needs to verify these three things in the client cookie.

3 What effect will such a design have? It will have the following effects,

a) Login token is a single instance login. This means that a user can only have one login instance.

b) Login sequence is used for theft detection. If the user's cookie is stolen and the thief uses this cookie to access the website, our system will think that he is a legitimate user and then update the "login token". However, when the real user comes back to visit, the system will find that only "user name" is the same as "login sequence", but "login token" is wrong. In this case, the system will know that this user may have been stolen. In this case, the system can clear and change the login sequence and logintoken, thus invalidating all cookies and requiring the user to enter a password. And warn users about system security.

4 Of course, the above design still has some problems

For example: the same user logs in from different devices, or even uses different browsers to log in on the same device. One device will invalidate the login token and login sequence of another device, causing other devices and browsers to need to log in again, and creating the illusion that cookies have been stolen. Therefore, you also need to consider-IP address in the server server. The following involves three issues.

a) If you log in with a password, we do not need to update the server's "login sequence" and "login token" (but the cookie needs to be updated). Because we believe that only the real user knows the password.

b) If the IP is the same, then we do not need to update the server's "login sequence" and "login token" (but the cookie needs to be updated). Because we think the same user has the same IP (of course, the same LAN also has the same IP, but we think this LAN is controllable by the user. This feature is not recommended in Internet cafes).

c) If (IPs are different&& No password is used to log in), then the "login token" will change among multiple IPs ( The login token is changed back and forth between two or more IPs). When it reaches a certain number of times within a certain period of time, the system will really feel that the possibility of being stolen is very high. At this time, the system will clear "## in the background. #Login sequence" and "Login token" invalidate the cookie and force the user to enter a password (or require the user to change the password) to ensure that the cookies on multiple devices are consistent.

I think this is a good solution. The illusion of cookie theft can even be realized in a "self-defeating" manner - the later logged-in users of QQ squeeze out the previous logged-in users.

The above is the detailed content of The hidden dangers of the "remember password" function. For more information, please follow other related articles on the PHP Chinese website!