duanlianyun0462 2012-03-11 15:47
浏览 55
已采纳

使用cookie记住并验证用户

I'm new to cookies and (PHP in general actually) and I want to implement a "remember me" system for the website I'm working on. After reading a lot of posts here and also on other website, I understand that I shouldn't put password or any other input from the user in the cookie. One solution was to user a remember_key in the database table, which gets regenerated each time a user signs in with "remember me" checkbox checked. And when the user visits the page again, the code should select remember_key from the db and check if $_COOKIE['remember'] is the same as remember_key, if it is then the user is logged in. But I'm not sure how to implement this. I have written some code in the way I thought I should, but I could use some help to see if what I already have is right and how to proceed. This is what I have now:

function rememberUser($id) {

    $remember = md5(uniqid(mt_rand(),true));
    $stmt = $mysqli->prepare("UPDATE USERS SET USER_REMEMBER_KEY = ?    WHERE USER_ID = ?");
    $stmt->bind_param('si', $remember, $id);
    $stmt->execute();
    setcookie("remember", $remember, time()+60*60*24*30, "/", "www.someName.com", false, true);
}

function isValidUser($id) {

    $stmt = $mysqli->prepare("SELECT * FROM USERS WHERE USER_REMEMBER_KEY = ? AND USER_ID = ?");
    $stmt->bind_param('si', $_COOKIE['remember'], $id);
    $stmt->execute();

    $stmt->store_result();
    $count = $stmt->num_rows;

    if($count == 1) {
        return true;
    }
    else {
        return false;
    }
}

function forgetUser($id) { // not sure about this method at all!

    setcookie("remember", '', time()-3600, "/", "www.someName.com", false, true);

}

forgetUser() will delete $_COOKIE['remember'] (or the value of it?), but how does it know that it is the cookie for that particular person? I would like any comment/suggestion/tip/hint or anything else on the code I have now and how I can improve it.

For your information I already know about sessions, they're easy to use and more secure (I guess), but I need to keep users logged in for a longer time (like FB) and sessions are not good enough for that. I also heard that giving sessions a long lifetime won't guarantee their deletion.

About security: my website doesn't need to be super super secure, I think just this token will be enough?

  • 写回答

1条回答 默认 最新

  • duanqianwei2485 2012-03-11 16:01
    关注

    I use the session for the secure part, and use either a hash or a user_id in the cookie. The cookie can only be accessed by your site. So unless someone else logs in on the same computer, if you have a long enough expiry, the cookie will just sit there. So the next week when they go back to your site, and it reads the cookie, you just start (What ever your version of a session is) with the user_id or hash that's stored in your database. If the hash doesn't match, the user has to login again.

    I hope that's what you were after.

    Edit:

    // I can't remember why right now, But I found to delete the cookie properly,
// after setcookie, I had to unset the $_COOKIE also.
setcookie("userid", "", time() - 3600);
unset($_COOKIE['userid']);
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 怎样才能让鼠标沿着线条的中心线轨迹移动
  • ¥60 用visual studio编写程序,利用间接平差求解水准网
  • ¥15 Llama如何调用shell或者Python
  • ¥20 谁能帮我挨个解读这个php语言编的代码什么意思?
  • ¥15 win10权限管理,限制普通用户使用删除功能
  • ¥15 minnio内存占用过大,内存没被回收(Windows环境)
  • ¥65 抖音咸鱼付款链接转码支付宝
  • ¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
  • ¥15 blast算法(相关搜索:数据库)
  • ¥15 请问有人会紧聚焦相关的matlab知识嘛?