The security problem of Wechat official account developer obtaining openid through web page authorization in exchange for member_id and token

1. Obtain openid, through Wechat official account authorization to find the account bound to this openid in the background
2. Realize automatic login through url stitching member_id and token to return user information

The

problem arises, although we have a transfer page at the front end that saves member_id and token to perform the jump, without exposing member_id and toke to the user
, it takes a long time for the user to jump in when the user"s network environment is very slow. How to solve the problem that the user can share the page with member_id and token so that others can click on his sharing link and log in to his account?

Wechat-official-account-developed php

Mar.15,2021

add an one-time token check to send token to cookie to the currently logged-in user to verify whether the token exists or is valid after the user jumps.

you can bind and save in cookie when the authorization login successfully obtains the openid, and then verify whether there is this cookie value on the page that needs to verify the login

Previous: On string concatenation of ES6

Next: An error was reported when converting gps coordinates to Tencent coordinates.