PHP Implementation of Mobile Verification Login: Detailed Steps and Considerations

gitbox 2025-06-16

1. Introduction

As internet applications continue to evolve, user login verification has become an indispensable feature for websites and apps. Especially in mobile applications, mobile verification login is becoming increasingly popular. In order to improve user experience, SMS verification login is widely adopted. This article will introduce how to implement mobile verification login functionality using PHP.

2. Implementation Steps

2.1. Obtaining the Verification Code

The first step in mobile verification login is obtaining the verification code. One common way is to use an SMS API. In this article, we will demonstrate how to obtain the SMS verification code using Alibaba Cloud's SMS service.

First, you need to include the SMS service SDK:


require_once 'alidayu/TopSdk.php';
date_default_timezone_set('Asia/Shanghai');

Next, set up the relevant parameters:


// Set appkey and secret
$c = new TopClient();
$c->appkey = 'appkey';
$c->secretKey = 'secret';
$req = new AlibabaAliqinFcSmsNumSendRequest();
// Set SMS type
$req->setSmsType("normal");
// Set SMS sign name
$req->setSmsFreeSignName("Login Verification");
// Set the phone number to receive the SMS
$req->setRecNum("Phone number");
// Set the SMS template ID
$req->setSmsTemplateCode("SMS_5044823");
// Set the SMS parameters (verification code)
$random = mt_rand(1000, 9999);
$req->setSmsParam("{\"code\":\"$random\"}");
// Execute send
$resp = $c->execute($req);

Note that appkey, secret, and the SMS template ID need to be created in the Alibaba Cloud Console.

2.2. Storing the Verification Code

For storing the verification code, you can choose either Session or Redis. In this article, we will use Redis because it offers better scalability, making it more suitable for high-concurrency scenarios.

First, include Redis:


$redis = new Redis();
$redis->connect('localhost', 6379);

Then, store the verification code and set the expiration time:


$redis->set('key', 'value');
// Set the expiration time for the verification code (10 minutes)
$redis->expire('key', 600);

2.3. Verifying the Code

Once the user enters the verification code, the system needs to compare the user's input with the stored code in Redis:


// Get the verification code entered by the user
$code = $_POST['code'];
// Get the verification code stored in Redis
$redis_code = $redis->get('key');
if ($code == $redis_code) {
    // Verification successful
} else {
    // Verification failed
}

2.4. Handling Login Success

After the verification is successful, you typically need to store the user's information in the Session or the database to manage their login status.

2.5. Security Handling

While implementing mobile verification login, it is important to handle security concerns. Since the verification code has a short validity period, it is prone to malicious attacks. To prevent brute-force cracking, it is recommended to limit the number of verification requests a user can make within a certain period or use additional security measures, such as CAPTCHA or sliding verification.

3. Considerations

3.1. Verification Code Validity Period

The validity period of the verification code should be set according to the specific business scenario. Generally, a validity period between 60 seconds and 5 minutes is appropriate. However, in special cases, such as when a user is in an area with unstable mobile signal or during holidays when the user might not receive the code promptly, it may be necessary to extend the validity period of the code.

3.2. Setting Anti-Scraping Strategies

To prevent the malicious scraping of verification codes, it is necessary to set up anti-scraping strategies. For example, you can limit the number of requests a user can make for the verification code within a specific time frame, or incorporate CAPTCHA and sliding verification to increase security.

3.3. Database Field Setup

When implementing mobile verification login, it is recommended to add a field in the database to indicate the login method used by the user. By default, users log in with a password. If the user logs in using a verification code, this field can be marked as “code” or another identifier to facilitate subsequent processing.

4. Conclusion

This article demonstrates how to implement mobile verification login functionality with PHP, covering the process of obtaining, storing, and verifying the verification code. It also discusses the configuration of the verification code's validity period, anti-scraping strategies, and database field configuration to ensure a secure and efficient login experience. Developers should choose the appropriate solution based on their actual needs to ensure both the security and efficiency of the system.