PHP User Login Cookie Information security Analysis _php tips

This article describes the security of the cookie information for PHP user login. Share to everyone for your reference, specific as follows:

We all know that after the user logged in, the user information will generally choose to keep in the cookie, because the cookie is to save the client, and cookies can be in the client browser free change, which will cause the user cookie is a forgery of the risk, This may enable the spoofed cookie to log on to any user's account.

Let's talk about the usual ways to prevent users from logging on to cookies information security:

Encryption method of cookie information

The cookie information encryption method uses an encryption method that encrypts the user information and then stores it in a cookie so that the forger can only use the cookie within the lifetime of the cookie, and cannot falsify the cookie information.

A cryptographic function is attached here:

<?php function Authcode ($string, $operation = ' DECODE ', $key = ', $expiry = 0) {//dynamic key length, the same plaintext will generate different ciphertext is dependent on the dynamic key $
  Ckey_length = 4;
  Key $key = MD5 ($key $key: $GLOBALS [' Discuz_auth_key ']);
  Key A will participate in the encryption and decryption $keya = MD5 (substr ($key, 0, 16));
  Key B is used to do data integrity validation $keyb = MD5 (substr ($key, 16, 16)); Key C used to change the generated ciphertext $KEYC = $ckey _length?
  ($operation = = ' DECODE ' substr ($string, 0, $ckey _length): substr (MD5 (Microtime ()),-$ckey _length)): ";
  The key $cryptkey = $keya. MD5 ($keya. $KEYC) that participate in the operation;
  $key _length = strlen ($cryptkey); PlainText, the first 10 bits to save the timestamp, verify the validity of the data when decrypting, 10 to 26 bits to save the $KEYB (key B),//decryption will verify the data integrity through this key///If it is decoded, it will start from the first $ckey_length, because the ciphertext before $ckey_ The length bit holds the dynamic key to ensure the decryption is correct $string = $operation = = ' DECODE '? Base64_decode (substr ($string, $ckey _length)): sprintf ('%010d ', $expiry? $expiry + Time (): 0). substr (MD5 ($string. $keyb
  , 0). $string;
  $string _length = strlen ($string);
  $result = ';
  $box = Range (0, 255);
  $rndkey = Array (); Generates a key book for ($i = 0; $i <= 255; $i++) {$rndkey [$i] = Ord ($cryptkey [$i% $key _length]); //With fixed algorithm, to disturb the key book, increase randomness, it seems very complex, in fact, will not increase the intensity of the ciphertext for ($j = $i = 0; $i < 256 $i + +) {$j = ($j + $box [$i] + $rndkey [$
    I])% 256;
    $tmp = $box [$i];
    $box [$i] = $box [$j];
  $box [$j] = $tmp;
    }//Core decryption part for ($a = $j = $i = 0; $i < $string _length $i + +) {$a = ($a + 1)% 256;
    $j = ($j + $box [$a])% 256;
    $tmp = $box [$a];
    $box [$a] = $box [$j];
    $box [$j] = $tmp;
  The key is derived from the key book, and then converted to the character $result. = Chr (ord ($string [$i]) ^ ($box [($box [$a] + $box [$j]) (% 256]));  } if ($operation = = ' DECODE ') {//Validate data validity, see unencrypted plaintext format if (substr ($result, 0,) = 0 | | substr ($result, 0, 10)- Time ()--> 0 && substr ($result) = = substr (MD5 (substr ($result,). $keyb), 0) {return subs
    TR ($result, 26);
    else {return '; } else {//Keep the dynamic key in the ciphertext, which is why the same plaintext, the reason why the production of different ciphertext can be decrypted//because the encrypted ciphertext may be some special characters, the copy process may be lost, so use base64 code return $KEYC. Str_replace (' = ', ', ',Base64_encode ($result));
}} $str = ' abcdef ';
$key = ' www.jb51.net '; echo $JM = Authcode ($str, ' ENCODE ', $key, 0);
Encrypt echo ""; Echo Authcode ($JM, ' DECODE ', $key, 0);

 Decryption?>

This makes it impossible to forge a cookie for user information when it is set:

<?php
$user = Array ("UID" =--> $uid, "username" => $username);
$user = Base64_encode (serialize ($user));
$user = Authcode ($user, ' ENCODE ', ' www.jb51.net ', 0); Encryption
Setcookie ("User", $user, Time () +3600*24);
? >

Second, the use of encryption token to protect cookies

$hash = MD5 ($uid. Time ());//Cryptographic token value
$hash _expire =time () +3600*24;//Cryptographic token value is one-day validity
$user = Array ("UID" => $uid, " Username "=> $username," hash "=> $hash);
$user = Base64_encode (serialize ($user));
Setcookie ("User", $user, $hash _expr);

The $hash and $hash_expire are then stored in the hash and hash_expire corresponding fields in the member table, and can also be deposited in nosql,session

When a user forges a cookie, the hash cannot be forged, the fake hash is inconsistent with the database

Every time the user log in, this hash_expire not update the hash value, expiration is updated

More interested in PHP related content readers can view the site topics: "Php Curl Usage Summary", "PHP operation and operator Usage Summary", "PHP Network Programming Skills Summary", "PHP Basic Grammar Introductory Tutorial", "PHP operation Office Document skills Summary (including Word, Excel,access,ppt), "The PHP date and time usage summary", "PHP object-oriented Programming Introduction Tutorial", "PHP string (String) Usage Summary", "Php+mysql Database operation Introduction Tutorial" and "PHP common database Operation skill Summary"

I hope this article will help you with the PHP program design.