Heim > Backend-Entwicklung > PHP-Tutorial > 用户登录之cookie信息安全一二事,cookie信息安全_PHP教程

用户登录之cookie信息安全一二事,cookie信息安全_PHP教程

WBOY
Freigeben: 2016-07-13 10:08:53
Original
1429 Leute haben es durchsucht

用户登录之cookie信息安全一二事,cookie信息安全

大家都知道用户登陆后,用户信息一般会选择保存在cookie里面,因为cookie是保存客户端,
并且cookie可以在客户端用浏览器自由更改,这样将会造成用户cookie存在伪造的危险,从而可能使伪造cookie者登录任意用户的账户。

下面就说说平常一些防止用户登录cookie信息安全的方法:

一、cookie信息加密法
cookie信息加密法即用一种加密方法,加密用户信息,然后在存入cookie,这样伪造者即使得到cookie也只能在cookie有效期内对这个cookie利用,无法另外伪造cookie信息。

这里附上一个加密函数: 

<!--?<span>php

</span><span>function</span> authcode(<span>$string</span>, <span>$operation</span> = 'DECODE', <span>$key</span> = '', <span>$expiry</span> = 0<span>) {   

    </span><span>//</span><span> 动态密匙长度,相同的明文会生成不同密文就是依靠动态密匙   </span>

    <span>$ckey_length</span> = 4<span>;   

       

    </span><span>//</span><span> 密匙   </span>

    <span>$key</span> = <span>md5</span>(<span>$key</span> ? <span>$key</span> : <span>$GLOBALS</span>['discuz_auth_key'<span>]);   

       

    </span><span>//</span><span> 密匙a会参与加解密   </span>

    <span>$keya</span> = <span>md5</span>(<span>substr</span>(<span>$key</span>, 0, 16<span>));   

    </span><span>//</span><span> 密匙b会用来做数据完整性验证   </span>

    <span>$keyb</span> = <span>md5</span>(<span>substr</span>(<span>$key</span>, 16, 16<span>));   

    </span><span>//</span><span> 密匙c用于变化生成的密文   </span>

    <span>$keyc</span> = <span>$ckey_length</span> ? (<span>$operation</span> == 'DECODE' ? <span>substr</span>(<span>$string</span>, 0, <span>$ckey_length</span>): 

<span>substr</span>(<span>md5</span>(<span>microtime</span>()), -<span>$ckey_length</span>)) : ''<span>;   

    </span><span>//</span><span> 参与运算的密匙   </span>

    <span>$cryptkey</span> = <span>$keya</span>.<span>md5</span>(<span>$keya</span>.<span>$keyc</span><span>);   

    </span><span>$key_length</span> = <span>strlen</span>(<span>$cryptkey</span><span>);   

    </span><span>//</span><span> 明文,前10位用来保存时间戳,解密时验证数据有效性,10到26位用来保存$keyb(密匙b), 

//解密时会通过这个密匙验证数据完整性   

    // 如果是解码的话,会从第$ckey_length位开始,因为密文前$ckey_length位保存 动态密匙,以保证解密正确   </span>

    <span>$string</span> = <span>$operation</span> == 'DECODE' ? <span>base64_decode</span>(<span>substr</span>(<span>$string</span>, <span>$ckey_length</span>)) :  

<span>sprintf</span>('%010d', <span>$expiry</span> ? <span>$expiry</span> + <span>time</span>() : 0).<span>substr</span>(<span>md5</span>(<span>$string</span>.<span>$keyb</span>), 0, 16).<span>$string</span><span>;   

    </span><span>$string_length</span> = <span>strlen</span>(<span>$string</span><span>);   

    </span><span>$result</span> = ''<span>;   

    </span><span>$box</span> = <span>range</span>(0, 255<span>);   

    </span><span>$rndkey</span> = <span>array</span><span>();   

    </span><span>//</span><span> 产生密匙簿   </span>

    <span>for</span>(<span>$i</span> = 0; <span>$i</span> <= 255; <span>$i</span>++<span>) {   

        </span><span>$rndkey</span>[<span>$i</span>] = <span>ord</span>(<span>$cryptkey</span>[<span>$i</span> % <span>$key_length</span><span>]);   

    }   

    </span><span>//</span><span> 用固定的算法,打乱密匙簿,增加随机性,好像很复杂,实际上对并不会增加密文的强度   </span>

    <span>for</span>(<span>$j</span> = <span>$i</span> = 0; <span>$i</span> < 256; <span>$i</span>++<span>) {   

        </span><span>$j</span> = (<span>$j</span> + <span>$box</span>[<span>$i</span>] + <span>$rndkey</span>[<span>$i</span>]) % 256<span>;   

        </span><span>$tmp</span> = <span>$box</span>[<span>$i</span><span>];   

        </span><span>$box</span>[<span>$i</span>] = <span>$box</span>[<span>$j</span><span>];   

        </span><span>$box</span>[<span>$j</span>] = <span>$tmp</span><span>;   

    }   

    </span><span>//</span><span> 核心加解密部分   </span>

    <span>for</span>(<span>$a</span> = <span>$j</span> = <span>$i</span> = 0; <span>$i</span> < <span>$string_length</span>; <span>$i</span>++<span>) {   

        </span><span>$a</span> = (<span>$a</span> + 1) % 256<span>;   

        </span><span>$j</span> = (<span>$j</span> + <span>$box</span>[<span>$a</span>]) % 256<span>;   

        </span><span>$tmp</span> = <span>$box</span>[<span>$a</span><span>];   

        </span><span>$box</span>[<span>$a</span>] = <span>$box</span>[<span>$j</span><span>];   

        </span><span>$box</span>[<span>$j</span>] = <span>$tmp</span><span>;   

        </span><span>//</span><span> 从密匙簿得出密匙进行异或,再转成字符   </span>

        <span>$result</span> .= <span>chr</span>(<span>ord</span>(<span>$string</span>[<span>$i</span>]) ^ (<span>$box</span>[(<span>$box</span>[<span>$a</span>] + <span>$box</span>[<span>$j</span>]) % 256<span>]));   

    }   

    </span><span>if</span>(<span>$operation</span> == 'DECODE'<span>) {  

        </span><span>//</span><span> 验证数据有效性,请看未加密明文的格式   </span>

        <span>if</span>((<span>substr</span>(<span>$result</span>, 0, 10) == 0 || <span>substr</span>(<span>$result</span>, 0, 10) - <span>time</span>() --> 0) &&  

<span>substr</span>(<span>$result</span>, 10, 16) == <span>substr</span>(<span>md5</span>(<span>substr</span>(<span>$result</span>, 26).<span>$keyb</span>), 0, 16<span>)) {   

            </span><span>return</span> <span>substr</span>(<span>$result</span>, 26<span>);   

        } </span><span>else</span><span> {   

            </span><span>return</span> ''<span>;   

        }   

    } </span><span>else</span><span> {   

        </span><span>//</span><span> 把动态密匙保存在密文里,这也是为什么同样的明文,生产不同密文后能解密的原因   

        // 因为加密后的密文可能是一些特殊字符,复制过程可能会丢失,所以用base64编码   </span>

        <span>return</span> <span>$keyc</span>.<span>str_replace</span>('=', '', <span>base64_encode</span>(<span>$result</span><span>));   

    }   

} 


 

</span><span>$str</span> = 'abcdef'<span>; 

</span><span>$key</span> = 'www.phpskill.com'<span>; 

</span><span>echo</span> <span>$jm</span> = authcode(<span>$str</span>,'ENCODE',<span>$key</span>,0); <span>//</span><span>加密 </span>
<span>echo</span> "
"<span>;

</span><span>echo</span> authcode(<span>$jm</span> ,'DECODE',<span>$key</span>,0); <span>//</span><span>解密</span>

?>
Nach dem Login kopieren

这样当设置用户信息的cookie时,就无法对其进行伪造:

<!--?<span>php

</span><span>$user</span> = <span>array</span>("uid"=--><span>$uid</span>,"username"=><span>$username</span><span>);

</span><span>$user</span> = <span>base64_encode</span>(<span>serialize</span>(<span>$user</span><span>));
</span><span>$user</span> =  authcode(<span>$user</span>,'ENCODE','www.phpskill.com',0); <span>//</span><span>加密 </span>
<span>setcookie</span>("user",<span>$user</span>,<span>time</span>()+3600*24<span>);

</span>?>
Nach dem Login kopieren

二、用加密令牌对cookie进行保护

<span>$hash</span> = <span>md5</span>(<span>$uid</span>.<span>time</span>());<span>//</span><span>加密令牌值</span>
<span>$hash_expire</span> =<span>time</span>()+3600*24;<span>//</span><span>加密令牌值为一天有效期</span>
<span>$user</span> = <span>array</span>("uid"=><span>$uid</span>,"username"=><span>$username</span>,"hash"=><span>$hash</span><span>);

</span><span>$user</span> = <span>base64_encode</span>(<span>serialize</span>(<span>$user</span><span>));

</span><span>setcookie</span>("user",<span>$user</span>,<span>$hash_expr</span><span>);

然后把</span><span>$hash和$hash_expire</span> 存入member表中hash和hash_expire对应字段中,<span>也可以存入nosql,session

用户伪造cookie时,hash无法伪造</span>,<span>伪造的hash和数据库中的不一致

用户每次登陆,这个hash_expire有效期内不更新hash值,过期则更新</span>
Nach dem Login kopieren

 

php纯技术交流群: 323899029

原文转载于:http://www.phpskill.com/html/show-1-4424-1.html

www.bkjia.comtruehttp://www.bkjia.com/PHPjc/949211.htmlTechArticle用户登录之cookie信息安全一二事,cookie信息安全 大家都知道用户登陆后,用户信息一般会选择保存在cookie里面,因为cookie是保存客户端,...
Verwandte Etiketten:
Quelle:php.cn
Erklärung dieser Website
Der Inhalt dieses Artikels wird freiwillig von Internetnutzern beigesteuert und das Urheberrecht liegt beim ursprünglichen Autor. Diese Website übernimmt keine entsprechende rechtliche Verantwortung. Wenn Sie Inhalte finden, bei denen der Verdacht eines Plagiats oder einer Rechtsverletzung besteht, wenden Sie sich bitte an admin@php.cn
Beliebte Tutorials
Mehr>
Neueste Downloads
Mehr>
Web-Effekte
Quellcode der Website
Website-Materialien
Frontend-Vorlage