Currently, the project login I am doing is just to determine whether the user session exists. If it exists, log in, if not, it will not log in.
Is this simple and crude method safe? How safe is it?
I don’t know what is the idea of designing a more mature and relatively simple login verification, please give me some advice
我想大声告诉你2017-05-31 10:36:03
The simplest login status is the session, and it is very safe.
Along with the session, there are cookies. Relatively speaking, it is not as secure as the session, but if it is set up, there will be no security issues.
我想大声告诉你2017-05-31 10:36:03
Personally, I think the method of using $_SESSION to determine whether the user is logged in is unreliable.
For example, after a user changes his password, how can the program make the old login invalid?
So it is still recommended to use cookies to verify the user's identity.
In the cookie Save the user's ID and salt.
When the user registers successfully, or when the password is changed, the salt is regenerated and the user table is updated.
曾经蜡笔没有小新2017-05-31 10:36:03
session is relatively simple, but not reliable enough; if you need more reliability, you can refer to WeChat/QQ, and for more reliable information, refer to online banking login.
曾经蜡笔没有小新2017-05-31 10:36:03
session exists
This is unreliable because the session is stored in the cookie and is the content of the client. In principle, the server should not trust any information from the client and needs to be validated. As for the verification logic, please design it yourself (just judging "yes" and "no" is obviously not enough)