Php user login cookie information security analysis, user login cookie

Php user login cookie information security analysis, user login cookie

This article describes the cookie information security for php user logon. We will share this with you for your reference. The details are as follows:

We all know that after a user logs in, the user information is usually stored in the cookie, because the cookie is saved on the client, and the cookie can be freely changed on the client browser, in this way, the cookie may be forged, and the cookie maker may log on to any user's account.

The following describes some common methods to prevent users from logging on to cookie Information security:

I. cookie Information Encryption Method

The cookie information encryption method uses an encryption method to encrypt user information and then store the information in the cookie. This way, even if a cookie is obtained, the counterfeiter can only exploit the cookie within the cookie validity period, cookie information cannot be forged.

An encryption function is attached here:

<? Phpfunction authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0) {// The length of the dynamic key, the same plaintext will generate different Ciphertext Based on the dynamic key $ ckey_length = 4; // key $ key = md5 ($ key? $ Key: $ GLOBALS ['discuz _ auth_key ']); // key a participates in encryption and decryption $ keya = md5 (substr ($ key, 0, 16 )); // key B is used for data integrity verification $ keyb = md5 (substr ($ key, 16, 16 )); // key c is used to change the generated ciphertext $ keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length )):''; // calculate the key $ cryptkey = $ keya. md5 ($ keya. $ keyc); $ key_length = strlen ($ cryptkey); // plaintext. The first 10 digits are used to save the timestamp. Data Validity is verified during decryption, 10 to 26 bits are used to save $ keyb (Key B). // This key is used for data integrity verification during decryption. // if the key is decoded, it starts from the $ ckey_length bit, because the $ ckey_length bit before the ciphertext stores the dynamic key to ensure correct decryption $ string = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0 ). substr (md5 ($ string. $ keyb), 0, 16 ). $ string; $ string_length = strlen ($ string); $ result = ''; $ box = range (0,255); $ rndkey = array (); // generate a key book for ($ I = 0; $ I <= 255; $ I ++) {$ rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);} // use a fixed algorithm to disrupt the key book and increase randomness. It seems complicated, in fact, the ciphertext strength is not added. for ($ j = $ I = 0; $ I <256; $ I ++) {$ j = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256; $ tmp = $ box [$ I]; $ box [$ I] = $ box [$ j]; $ Box [$ j] = $ tmp;} // core encryption and decryption part for ($ a = $ j = $ I = 0; $ I <$ string_length; $ I ++) {$ a = ($ a + 1) % 256; $ j = ($ j + $ box [$ a]) % 256; $ tmp = $ box [$ a]; $ box [$ a] = $ box [$ j]; $ box [$ j] = $ tmp; // The keys obtained from the key book are different or converted into characters $ result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);} if ($ operation = 'decode') {// verify the data validity. See the unencrypted plaintext format if (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10)-time () --> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16) {return substr ($ result, 26) ;}else {return '';}} else {// Save the dynamic key in the ciphertext, this is also the reason why different ciphertext texts can be decrypted in the same plain text. // because the encrypted ciphertext may be special characters, the replication process may be lost, therefore, return $ keyc is encoded in base64 format. str_replace ('=', '', base64_encode ($ result) ;}}$ str = 'abcdef '; $ key = 'www .jb51.net '; echo $ jm = authcode ($ str, 'encoding', $ key, 0); // encrypt echo ""; echo authcode ($ jm, 'Decode', $ key, 0); // decryption?>

In this way, the cookie of user information cannot be forged:

<? Php $ user = array ("uid" = --> $ uid, "username" => $ username); $ user = base64_encode (serialize ($ user )); $ user = authcode ($ user, 'encoding', 'www .jb51.net', 0); // encrypt setcookie ("user", $ user, time () + 3600*24);?>

Ii. Use an encryption token to protect cookies

$ Hash = md5 ($ uid. time (); // encryption token value $ hash_expire = time () + 3600*24; // The encryption token value is valid for one day $ user = array ("uid" => $ uid, "username" => $ username, "hash" => $ hash ); $ user = base64_encode (serialize ($ user); setcookie ("user", $ user, $ hash_expr );

Save $ hash and $ hash_expire to the corresponding fields of hash and hash_expire in the member table, and store them in nosql and session

When a user spoofs a cookie, the hash cannot be forged. The forged hash is inconsistent with that in the database.

Each time a user logs in, the hash_expire does not update the hash value during the validity period, and is updated upon expiration.