Yahoo's approach to forging cross-site requests is to add a random string called. Crumb to the form, and Facebook has a similar solution, and its table dropdowns often have post_form_id and FB_DTSG.
A more common and inexpensive precaution is to include a random, frequently-changed string in all forms that may involve user writes, and then check the string when the form is processed. If this random string is associated with the current user identity, then the attacker would be more likely to spoof the request. Now, the precautionary approach is basically based on this approach.
Random string Code implementation
We follow this idea, cottage a crumb implementation, the code is as follows:
Copy the code code as follows:
!--? PHP class Crumb {
CONST SALT = "Your-secret-salt";
Static $ttl = 7200;
Static public Function Challenge ($data) {
return Hash_hmac (' MD5 ', $data, Self::salt);
}
Static public function Issuecrumb ($uid, $action =-1) {
$i = ceil (Time ()/self:: $TTL);
Return substr (Self::challenge ($i. $action. $uid),-12, 10);
}
Static public function Verifycrumb ($uid, $crumb, $action =-1) {
$i = ceil (Time ()/self:: $TTL);
if (substr (Self::challenge ($i. $action. $uid), -12) = = $crumb | |
substr (Self::challenge (($i-1). $action. $uid), -12,) = = $crumb)
return true;
return false;
}
}
The $uid in the code represents the user's unique identity, while $ttl represents the valid time of the random string.
Application examples
Construct a form
Insert a hidden random string in the form crumb
Copy the Code code as follows:
Working with Forms demo.php
Check the Crumb
Copy the Code code as follows:
if (Crumb::verifycrumb ($uid, $_post[' crumb ')) {
Process forms according to normal process
} else {
Crumb checksum failure, error message Flow
}
This article from the Bun Blog
http://www.bkjia.com/PHPjc/326620.html www.bkjia.com true http://www.bkjia.com/PHPjc/326620.html techarticle Yahoo's approach to forging cross-site requests is to add a random string called. Crumb to the form, and Facebook has a similar solution, and its table dropdowns often have post_form_id and FB_DTSG. ...