Token, is a token, the biggest feature is randomness, unpredictable. General hackers or software can not be guessed out.
So, what's the role of token? What is the principle?
Token is typically used in two places-preventing form recurrence, anti CSRF attacks (Cross-site request forgery).
Both in principle are through the session token to achieve. When a client requests a page, the server generates a random number token and places the token in session, then sends the token to the client (typically by constructing hidden forms). The next time the client submits the request, the token is committed to the server side as the table is single.
Then, if applied to "anti CSRF attack", then the server side will verify the token value, whether it is equal to the token value in the session, and if it is equal, it can prove that the request is valid and not forged.
However, if applied to prevent form repeat submission, the first time the server side verifies the same, the token value in the astringent session is updated, and if the user commits repeatedly, the second validation will fail because the token in the user's submitted form does not change, But token has changed in server-side session.
The above session application is relatively safe, but also called cumbersome, and when multiple-page multiple requests, you must adopt a multiple token method, so that more resources to occupy, execution efficiency will be reduced. Therefore, you can also use cookies to store authentication information instead of Session Token. For example, when a "duplicate submission" is made, the submitted information is written to the cookie after the first submission, and the second commit fails because the cookie already has a commit record.
However, Cookie storage has a fatal weakness, and if the cookie is hijacked (XSS attacks are easy to get user cookies), then another gameover. Hackers will directly implement CSRF attacks.
So, safe and efficient relative. Specific issues to deal with it.
PHP form Join token prevent duplicate submissions
The principle is to generate a random string in the session, submit the form later to verify the string, you can do to prevent others to write the form to deceive the submission, repeated submissions or double click to submit.
The simple code implemented in PHP is as follows:
<?php
/*
* PHP simply utilizes token to prevent form recurrence
* This approach is purely for beginners ' reference
*/
Session_Start ();
Function Set_token () {
$_session[' token '] = MD5 (Microtime (true));
}
Function Valid_token () {
$return = $_request[' token '] = = = $_session[' token ']? true:false;
&nb Sp Set_token ();
return $return;
}
///If token is empty, generate a token
if (!isset ($_session[' token ')) | | $_session[' token ' "]== ') {
Set_token () ;
}
if (isset ($_post[' test ')) {
if (!valid_token ()) {
echo "token error";
& nbsp }else{
Echo ' successfully submitted, Value: '. $_post[' test ';
}
}
<form method= "POST "Action=" "
<input type=" hidden "name=" token "value=" <?php echo $_session[' token ']?> ' "
& nbsp <input type= "text" name= "test" value= "Default"
<input type= "Submit" value= "submitted"/>
</form "
The simpler method above, the following code is a little more secure.
token.php
<?php
/*
* Created on 2013-3-25
*
* To change the template for this generated file go
* Window-preferences-phpeclipse-php-code Templates
*/
function GetToken ($len = $md 5 = true) {
# Seed Random number generator
# only needed for PHP versions prior to 4.2
Mt_srand (Double) microtime () * 1000000);
# Array of characters, adjust as desired
$chars = Array (
' Q ',
'@',
' 8 ',
' Y ',
'%',
'^',
' 5 ',
' Z ',
'(',
' G ',
'_',
' O ',
'`',
' S ',
'-',
' N ',
' < ',
' D ',
'{',
'}',
'[',
']',
' H ',
';',
' W ',
'.',
'/',
'|',
':',
' 1 ',
' E ',
' L ',
' 4 ',
' & ',
' 6 ',
' 7 ',
'#',
' 9 ',
' A ',
' A ',
' B ',
' B ',
'~',
' C ',
' d ',
' > ',
' E ',
' 2 ',
' F ',
' P ',
' G ',
')',
'?',
' H ',
' I ',
' X ',
' U ',
' J ',
' K ',
' R ',
' L ',
' 3 ',
' t ',
' M ',
' N ',
'=',
' O ',
'+',
' P ',
' F ',
' Q ',
'!',
' K ',
' R ',
' s ',
' C ',
' m ',
' T ',
' V ',
' J ',
' U ',
' V ',
' W ',
',',
' X ',
' I ',
'$',
' Y ',
' Z ',
'*'
);
# Array Indice friendly number of chars;
$numChars = count ($chars)-1;
$token = ';
# Create Random token at the specified length
for ($i = 0; $i < $len; $i + +)
$token. = $chars [Mt_rand (0, $numChars)];
# Should token be run through MD5?
if ($MD 5) {
# Number of char chunks
$chunks = Ceil (strlen ($token)/32);
$MD 5token = ';
# Run each chunk through MD5
for ($i = 1; $i <= $chunks; $i + +)
$MD 5token. = MD5 (substr ($token, $i * 32-32, 32));
# Trim The token
$token = substr ($md 5token, 0, $len);
}
return $token;
}
?>
form.php
<?php
Include_once ("token.php");
$token = GetToken ();
Session_Start ();
$_session[' token ' = $token;
?>
<form action= "action.php" method= "POST"
<input type= "hidden" name= "token" value= "<?= $token?>"/>
<!--other input submit-->
</form>
action.php
<?php
Session_Start ();
if ($_post[' token '] = = $_session[' token ']) {
unset ($_session[' token ')) ;
echo "This is a normal submission request";
}else{
echo "This is an illegal commit request";
}
?