PHP encryption and decryption internal algorithm

Pack them up as a file, call it fun.php.

<?php function Passport_encrypt ($txt, $key) {srand (double) microtime () * 1000000); $encrypt _key = MD5 (rand (0, 32000)) ; $ctr = 0; $tmp = "; for ($i = 0; $i < strlen ($txt); $i + +) {$ctr = $ctr = = strlen ($encrypt _key)? 0: $ctr; $tmp. = $encrypt _key[$ctr]. ( $txt [$i] ^ $encrypt _key[$ctr + +]); } return Base64_encode (Passport_key ($tmp, $key)); } function Passport_decrypt ($txt, $key) {$txt = Passport_key (Base64_decode ($txt), $key); $tmp = "; for ($i = 0; $i < St Rlen ($txt); $i + +) {$MD 5 = $txt [$i]; $tmp. = $txt [+ + $i] ^ $md 5;} return $tmp; } function Passport_key ($txt, $encrypt _key) {$encrypt _key = MD5 ($encrypt _key); $ctr = 0; $tmp = "; for ($i = 0; $i < s Trlen ($txt); $i + +) {$ctr = $ctr = = strlen ($encrypt _key)? 0: $ctr, $tmp. = $txt [$i] ^ $encrypt _key[$ctr + +];} return $tmp; }?>

Here are some examples to deepen the understanding of these three cryptographic decryption functions

//string.php <?php include "fun.php"; $txt = "This is a test"; $key = "TestKey"; $ Encrypt = Passport_encrypt ($txt, $key); $decrypt = Passport_decrypt ($encrypt, $key); echo $txt. " <br>
The key is here. When you want to jump to another URL, but also ensure that your session is correct, you need to make a deal with the session. It seems that a company has a website and a forum, two places have registered and login, But do not want users to log in after the page to jump to the forum when the session expires, that is, log in once run the whole company

So how do you handle the user's session?

Web pages are stateless, if you want to continue to use the session in the new page, you need to move the session from one place to another, some people may have thought that I can call it by URL address. And PHP has a variable that handles the session, called $_ Session. Then convert the session that needs to register into an array. So, you can write:

login.php <?php session_start (); Include "fun.php"; $_session["UserID"]; $_session["username"]; $_session["Userpwd"]; Header ("location:http://$domain/process.php?s=". UrlEncode (Passport_encrypt (Serialize ($_session), "SessionKey")) );?>
In the above example, using serialize to change $_session into a data that can be stored, and then through Passport_encrypt to encrypt this data, add UrlEncode reason is because $_session encryption, it is possible to produce unexpected code, So just in case (it turns out to be very effective)

Deal with the first

process.php <?php session_start (); Include "fun.php"; $_session=unserialize (Passport_decrypt ($_get["s"], "SessionKey")); Header ("location:http://$domain/index.php");?>
First Use $_get["s"] to get the parameters of the URL, and then use Passport_decrypt to decrypt it, and then use Unserialize to restore its data to the original data, to this process, your Web page may be free to jump through the header.

This method also involves security issues, if your URL address in the process of transmission by someone else, it is really embarrassed that although they may not be able to decipher the contents of the URL, but they can also directly use this URL to login to some of your personal accounts Ah, mailbox accounts AH even bank accounts ( Of course very few people will write this, I am the exception, haha) sounds very afraid. But you can actually cancel the session in the jump page.

Here is the enhanced version of process.php

<?php session_start (); Include_once "fun.php"; $_session=unserialize (Passport_decrypt ($_get["s"], "SessionKey")); if (Time ()-$_session["Time") >30) {header ("location:http://$domain/login.php"), unset ($_session["USERNAME"]); Unset ($_session["PASSWORD"]); } else header ("location:http://$domain/index.php");?>
Before you write this file, you have to set it up in the login

$_session["Time"] = time ();


The reason to set this is mainly to get on both sides of the time, if the jump time more than 30 seconds, you can let it jump to the login.php login page, the slow speed of the customer is embarrassed but this also prevents if this URL was obtained, and this person did not log in within 30 seconds, then embarrassed AH , time-out to log back in.

$_session["USERNAME"] and $_session["PASSWORD"] These two things are user login need to enter the user name and password. The reason for canceling these two sessions is because if your URL is acquired, Although the person jumps in more than 30 seconds to the loign.php page, but those passes to the session still valid, as long as the URL suffix login.php changed to index.php. And he's the same. Login successful.