The hidden dangers of the 'remember password' function
In this way, you can log in on all devices and clients, and multiple users can log in at the same time. This is not very safe. Here are some safer methods for your reference:
a) Username: stored in clear text.
b) Login sequence: a random number hashed by MD5, updated only when the user is forced to enter a password (for example: the user changes the password).
c) Login token: A random number that has been hashed by MD5. It is only valid within one login session. A new login session will update it.
a) Login token is a single instance login. This means that a user can only have one login instance.
b) Login sequence is used for theft detection. If the user's cookie is stolen and the thief uses this cookie to access the website, our system will think that he is a legitimate user and then update the "login token". However, when the real user comes back to visit, the system will find that only "user name" is the same as "login sequence", but "login token" is wrong. In this case, the system will know that this user may have been stolen. In this case, the system can clear and change the login sequence and logintoken, thus invalidating all cookies and requiring the user to enter a password. And warn users about system security.
For example: the same user logs in from different devices, or even uses different browsers to log in on the same device. One device will invalidate the login token and login sequence of another device, causing other devices and browsers to need to log in again, and creating the illusion that cookies have been stolen. Therefore, you also need to consider-IP address in the server server. The following involves three issues.
a) If you log in with a password, we do not need to update the server's "login sequence" and "login token" (but the cookie needs to be updated). Because we believe that only the real user knows the password.
b) If the IP is the same, then we do not need to update the server's "login sequence" and "login token" (but the cookie needs to be updated). Because we think the same user has the same IP (of course, the same LAN also has the same IP, but we think this LAN is controllable by the user. This feature is not recommended in Internet cafes).
c) If (IPs are different&& No password is used to log in), then the "login token" will change among multiple IPs ( The login token is changed back and forth between two or more IPs). When it reaches a certain number of times within a certain period of time, the system will really feel that the possibility of being stolen is very high. At this time, the system will clear "## in the background. #Login sequence" and "Login token" invalidate the cookie and force the user to enter a password (or require the user to change the password) to ensure that the cookies on multiple devices are consistent.
I think this is a good solution. The illusion of cookie theft can even be realized in a "self-defeating" manner - the later logged-in users of QQ squeeze out the previous logged-in users.The above is the detailed content of The hidden dangers of the 'remember password' function. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1387
52
How to use docker desktop
Apr 15, 2025 am 11:45 AM
How to use Docker Desktop? Docker Desktop is a tool for running Docker containers on local machines. The steps to use include: 1. Install Docker Desktop; 2. Start Docker Desktop; 3. Create Docker image (using Dockerfile); 4. Build Docker image (using docker build); 5. Run Docker container (using docker run).
How to view the docker process
Apr 15, 2025 am 11:48 AM
Docker process viewing method: 1. Docker CLI command: docker ps; 2. Systemd CLI command: systemctl status docker; 3. Docker Compose CLI command: docker-compose ps; 4. Process Explorer (Windows); 5. /proc directory (Linux).
What to do if the docker image fails
Apr 15, 2025 am 11:21 AM
Troubleshooting steps for failed Docker image build: Check Dockerfile syntax and dependency version. Check if the build context contains the required source code and dependencies. View the build log for error details. Use the --target option to build a hierarchical phase to identify failure points. Make sure to use the latest version of Docker engine. Build the image with --t [image-name]:debug mode to debug the problem. Check disk space and make sure it is sufficient. Disable SELinux to prevent interference with the build process. Ask community platforms for help, provide Dockerfiles and build log descriptions for more specific suggestions.
vscode cannot install extension
Apr 15, 2025 pm 07:18 PM
The reasons for the installation of VS Code extensions may be: network instability, insufficient permissions, system compatibility issues, VS Code version is too old, antivirus software or firewall interference. By checking network connections, permissions, log files, updating VS Code, disabling security software, and restarting VS Code or computers, you can gradually troubleshoot and resolve issues.
What computer configuration is required for vscode
Apr 15, 2025 pm 09:48 PM
VS Code system requirements: Operating system: Windows 10 and above, macOS 10.12 and above, Linux distribution processor: minimum 1.6 GHz, recommended 2.0 GHz and above memory: minimum 512 MB, recommended 4 GB and above storage space: minimum 250 MB, recommended 1 GB and above other requirements: stable network connection, Xorg/Wayland (Linux)
Can vscode be used for mac
Apr 15, 2025 pm 07:36 PM
VS Code is available on Mac. It has powerful extensions, Git integration, terminal and debugger, and also offers a wealth of setup options. However, for particularly large projects or highly professional development, VS Code may have performance or functional limitations.
What is vscode What is vscode for?
Apr 15, 2025 pm 06:45 PM
VS Code is the full name Visual Studio Code, which is a free and open source cross-platform code editor and development environment developed by Microsoft. It supports a wide range of programming languages and provides syntax highlighting, code automatic completion, code snippets and smart prompts to improve development efficiency. Through a rich extension ecosystem, users can add extensions to specific needs and languages, such as debuggers, code formatting tools, and Git integrations. VS Code also includes an intuitive debugger that helps quickly find and resolve bugs in your code.
How to back up vscode settings and extensions
Apr 15, 2025 pm 05:18 PM
How to back up VS Code configurations and extensions? Manually backup the settings file: Copy the key JSON files (settings.json, keybindings.json, extensions.json) to a safe location. Take advantage of VS Code synchronization: enable synchronization with your GitHub account to automatically back up all relevant settings and extensions. Use third-party tools: Back up configurations with reliable tools and provide richer features such as version control and incremental backups.
