duanlianyun0462 2012-03-11 15:47
浏览 55
已采纳

使用cookie记住并验证用户

I'm new to cookies and (PHP in general actually) and I want to implement a "remember me" system for the website I'm working on. After reading a lot of posts here and also on other website, I understand that I shouldn't put password or any other input from the user in the cookie. One solution was to user a remember_key in the database table, which gets regenerated each time a user signs in with "remember me" checkbox checked. And when the user visits the page again, the code should select remember_key from the db and check if $_COOKIE['remember'] is the same as remember_key, if it is then the user is logged in. But I'm not sure how to implement this. I have written some code in the way I thought I should, but I could use some help to see if what I already have is right and how to proceed. This is what I have now:

function rememberUser($id) {

    $remember = md5(uniqid(mt_rand(),true));
    $stmt = $mysqli->prepare("UPDATE USERS SET USER_REMEMBER_KEY = ?    WHERE USER_ID = ?");
    $stmt->bind_param('si', $remember, $id);
    $stmt->execute();
    setcookie("remember", $remember, time()+60*60*24*30, "/", "www.someName.com", false, true);
}

function isValidUser($id) {

    $stmt = $mysqli->prepare("SELECT * FROM USERS WHERE USER_REMEMBER_KEY = ? AND USER_ID = ?");
    $stmt->bind_param('si', $_COOKIE['remember'], $id);
    $stmt->execute();

    $stmt->store_result();
    $count = $stmt->num_rows;

    if($count == 1) {
        return true;
    }
    else {
        return false;
    }
}

function forgetUser($id) { // not sure about this method at all!

    setcookie("remember", '', time()-3600, "/", "www.someName.com", false, true);

}

forgetUser() will delete $_COOKIE['remember'] (or the value of it?), but how does it know that it is the cookie for that particular person? I would like any comment/suggestion/tip/hint or anything else on the code I have now and how I can improve it.

For your information I already know about sessions, they're easy to use and more secure (I guess), but I need to keep users logged in for a longer time (like FB) and sessions are not good enough for that. I also heard that giving sessions a long lifetime won't guarantee their deletion.

About security: my website doesn't need to be super super secure, I think just this token will be enough?

  • 写回答

1条回答 默认 最新

  • duanqianwei2485 2012-03-11 16:01
    关注

    I use the session for the secure part, and use either a hash or a user_id in the cookie. The cookie can only be accessed by your site. So unless someone else logs in on the same computer, if you have a long enough expiry, the cookie will just sit there. So the next week when they go back to your site, and it reads the cookie, you just start (What ever your version of a session is) with the user_id or hash that's stored in your database. If the hash doesn't match, the user has to login again.

    I hope that's what you were after.

    Edit:

    // I can't remember why right now, But I found to delete the cookie properly,
    // after setcookie, I had to unset the $_COOKIE also.
    setcookie("userid", "", time() - 3600);
    unset($_COOKIE['userid']);
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 spring后端vue前端
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题