In the past, when we first wrote PHP, we needed administrator authentication to do the backend. This is usually done using COOKIE, especially for PHP enthusiasts who are new to PHP:
admin/login.php
if(Username&&Password is correct) {
setcookie('admin',1, time()+36400);
echo 'Login successful';
}
if($_COOKIE[admin] == 1) {
echo 'Has permission';
}
However, this will cause great security risks. Many browsers can directly modify COOKIE, or modify it directly in the system.
As long as you forge cookies, you will have administrative rights
To be safe, do this:
if(Username&&Password is correct) {
setcookie('userid',The user’s ID in the system,time()+36400);
setcookie('userpass',The user’s 32-bit md5 password in the system,time()+36400);
echo 'Login successful';
}
Do this when judging permissions:
if($_COOKIE[userid]) {
$query = mysql_query(select * user table where userid = '$_COOKIE[userid]' and userpass = '$_COOKIE[userpass]');
$row = mysql_fetch_array($query) ;
if($row[rank] <> 1) {
echo 'No permission';
}
}
In this way, forging cookies will have no effect
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
