»WordPress»We encountered some pitfalls during WeAuth WeChat code scanning and login
I found a small program some time ago. You can use WeChat to scan the code to log in, and then conduct a targeted development of it. Then I found some doubts and problems encountered in the process. I will record them here first. If you find that it can be solved by passing by, I will help you to solve and optimize the program.
introduce
Weauth is a small program for WeChat login. It is not necessary to make an appointment to apply for official login, but directly use the program of the small program to achieve WeChat login of saving the country by curve.The implementation principle is also very simple. After the applet obtains the user's information, it forwards it to a third-party access application.After we get the user information forwarded by the applet, we insert its user information into my own system, so that users can quickly register and log in.
Another method has been used to solve this problem, perfect
Access process
The login and access process of the applet is very simple. First, we generate a random number in the background, then concatenate it into a special string, and then send a request to the applet server. After receiving our request, the applet server will verify that it is OK and return a two-dimensional code.After the user scans the QR code and completes the authorization, the applet server will send a request to our system, which contains the user's information and a verification code.This verification code is actually a random number generated previously. First, we need to verify this verification code and the random number generated previously to see whether it is a request from our side.If the random number is consistent with the verification code, our request can proceed to the next step.User information is an encoded array. We first decode it and then take values from the array.Finally, the user's information is directly obtained and inserted into the system to complete the user's registration and login.
Problems encountered
In fact, the processes mentioned above are basically OK. In fact, the final problem is getting stuck in the last step, which is automatic login.After the user information is successfully obtained, when it is inserted into the system database, the registration is successful, but the automatic login fails. I originally thought that the automatic login code is faulty, or because of the interference of SSL, but after testing, the automatic login code is OK.The real reason after investigation is mainly the problem of cookies (I guess). To be precise, it is the problem of the path of cookies.Because there is a/weauth path when the applet server submits a request to the system server, I guess that the cookie generated by automatic login is under this path instead of in the root directory of the website.Of course, this may not be the problem. In a word, automatic login has no effect, or the submitted page has not been accessed by the browser, so no corresponding cookie has been generated.
solve the problem
This is my temporary solution to this problem.After confirming the account registration, perform a GET jump, and use this jump to achieve automatic login.In fact, it is not safe to use this jump for automatic login, because GET data can be seen directly.After testing, it is possible to log in using GET jump. The problem is how to use GET safely to log in automatically.
Data security verification
In the whole process, data security processing is also essential.There are two places in the whole process that need security verification. One is that the applet system sends a request to our system, in which the verification code checks with the local random code, and the other is to secure GET data.The solution to this problem is to use WP's transient cache.When a data can be saved into the database, and the expiration time is given, it will be automatically deleted when the expiration time expires.
The design is handled in this way.In the initial generation of random number, the random number is stored in the database as a cache name. The cache content in the database can be any one, and I set it to 1 directly here.When we get the check code pushed to us by the applet system, we can use this check code as the cache name to extract the cache data. If the cache is empty, it means that the transaction code is wrong, and the security check fails.
The second security check still uses this random number. When the authorization is successful, we conduct a cache again. The cache name is also this random number. To prevent conflicts, I add a string like ok to this cache name, and then the cache value is the ID of the user who just scanned the code. If the user's front end goes to the headlight, after the authentication is successful and the authorization is successful, the page performs a get jump, and the value is the random number, such as spam=123456. Then we check the cache value of 123456ok, such as 20, and the scanned user ID is 20. The data that users can see or find is actually the random number,The random number is realistic and invalid after one minute. In fact, the random number is meaningless in essence.It is clear that every time a user logs in by scanning the code, a cache needs to be established, and then the cache needs to be extracted before automatic login can be realized.
I think we should just make another payment.Generate a recharge card from gold coins.Then use the rich recharge card consignment website.Let users recharge themselves after purchasing the card. Now like this, you can directly recharge the website.Policies are always tight and loose, which is convenient and fast when they are loose.But every time when it gets tough, it falls off the chain
