php用户自动登录

First, just to echo what everyone else has said, this isn't so much an auto-login feature as it is a 'remember me if I navigate away from the page' feature.

How I have seen it done in the past is similar to the implementation explained by frostymarvelous. Basically I have seen 3 cookies used:

Cookie 1:

• name - 'username'
• value - user's name

Cookie 2:

• name - 'salt'
• value - random salt created for this particular login

Cookie 3:

• name - 'authentication_hash'
• value - Hash of a couple unique pieces of data that only your website can duplicate. If you can duplicate this value in the cookie, then make sure the user doesn't have to login again.

Basically, cookie 3 is the most important cookie and I would include a couple things in this to prevent it from being duplicated easily:

<?php 
function isAuthenticationCookieValid() {
    // $websitePassword would be a unique string stored in a file that is only
    // accessible by the server running your website. 
    include("websitePassword.php");

    // $hashOfUserPassword should be a hash of the user's password and should be
    // retrieved from the database in hashed form because that is how you should
    // store passwords.
    $hashOfUserPassword = retrieveUserPasswordFromDatabase($_COOKIE['username']);

    // $salt should just be read from cookie.
    $salt = $_COOKIE['salt'];

    $authenticationValue = sha1($websitePassword . $salt . $hashOfUserPassword);

    // Compare authentication value in cookie with calculated authentication value.
    return $authenticationValue == $_COOKIE['authentication_hash'];
}
?>

The contents of 'websitePassword.php' should just be:

<?php
    $websitePassword = "secretWebsitePassword";  // Obviously use a better password
?>

I would also suggest making the cookies expire after a timelimit to make your website more secure and you could possibly add a time element to your hash so if they try to use that particular hash after a particular amount of time, they will not be logged in automatically.