Small businesses focus on the development of small programs at low cost. C2C, B2C and other enterprises focus more on wechat ecology with a complete ecology and a large number of people. No matter what kind of enterprise want to do well small program must learn to play small program login system.

Complete process of login system

Basic part analysis

API and parameter parsing

  • Wx. login: is the API of a small program. It can be called directly in the small program and the return value is code

  • Code: user login certificate, valid for five minutes, is one of the parameters for the third-party consumer server to exchange session_key and OpenID to wechat service

  • Appid: Upon the completion of application of each small program in wechat, wechat will provide the unique identification of the application, namely appID, which is one of the parameters for the third-party consumer server to exchange session_key and OpenID to wechat service

  • Appsecret: The secret key can be viewed and reset through the wechat public platform in general, but the reset operation is avoided as far as possible except in special cases. It is also one of the parameters for the third-party consumer server to exchange session_key and OpenID to the wechat service

  • Openid: The unique id of a user for an application. This id will not be changed unless the application is changed. Usually, third-party applications rely on this parameter as the user id to ensure the accuracy of users

  • Session_key: session key. The encryption and decryption communication of user data depends on the session key (for example, decryption after obtaining the user’s mobile phone number). This parameter will be updated when the user invokes wx.login for code. To ensure the communication between the third-party server and the wechat server, the third-party server should exchange the Session_key to the wechat server in time after the small program executes wx.login for code

  • Custom login mode: it is usually generated by a third-party server based on openID and certain algorithm logic, and is unique and unique (for example, token, PPU, uid, etc., can specify unique login information based on the application).

    Problem resolution

    • Can applets send requests directly to the wechat server? A: The answer is no. The small program management platform needs to set a legitimate domain name of Request, and and other domain names are not allowed to be set. Therefore, it is impossible to make reasonable requests to the wechat server
    • If the third-party server does not customize the login state, but directly returns openID and other data to the small program, is it unsafe? A: For different services, simple business logic is acceptable under the premise of ensuring information security, but it is not recommended. For applications with relatively large user groups and involving commodity information, payment and other operations (such as Zhuan, JINGdong, etc.), OpenID is not allowed to be directly exposed to the client as the unique login mode.

Optimization part analysis


  • Custom login storage: the cache of the small program is storage, which can be asynchronously stored according to needs and the returned login information is stored in our cache
  • Request with custom logins: You can wrap Ajax around the custom logins and read them from the cache every time you send a request and store them in the headers of the request header (either in cookies or tokens as needed)

Problem resolution

  • Does the custom login state have an expiration behavior? If so, what should I do? A: A reasonable login state information will normally have expired behavior, which depends on how we do third-party server processing. Of course, if we use the old login state information to obtain business data, we will define the specified invalid status code according to the interface format formulated with the partner, and then the small program will perform the basic part of the operation again to obtain the latest login state information
  • What does a partner need to provide to encapsulate a complete login system? A: 1. Exchange the interface for login status through code. 2.


  • Applets open interface
  • Small program login system
  • How do I obtain OpenID and session_key information from a third-party server