PHP User logon cookie Information security analysis, user login cookie
This paper describes the security of cookie information for PHP user login. Share to everyone for your reference, as follows:
We all know that after the user login, the user information will generally choose to save in the cookie, because the cookie is to save the client, and the cookie can be in the client with the browser freely change, which will cause the user cookie is counterfeit risk, This may allow the forgery of cookies to be logged to any user's account.
Let's talk about the usual. Ways to prevent users from logging on to cookie information security:
I. Cookie information encryption method
The cookie information encryption method encrypts the user information by encrypting it, and then the cookie is deposited so that the forger can only use the cookie for the duration of the cookie and cannot falsify the cookie information even if the cookie is obtained.
A cryptographic function is attached here:
<?phpfunction Authcode ($string, $operation = ' DECODE ', $key = ', $expiry = 0) {//dynamic key length, the same plaintext will generate different ciphertext is dependent on the dynamic key $ckey _length = 4; Key $key = MD5 ($key? $key: $GLOBALS [' Discuz_auth_key ']); Key A will participate in the encryption and decryption $keya = MD5 (substr ($key, 0, 16)); Key B will be used for data integrity verification $KEYB = MD5 (substr ($key, 16, 16)); Key C is used to change the generated ciphertext $KEYC = $ckey _length? ($operation = = ' DECODE '? substr ($string, 0, $ckey _length): substr (MD5 (Microtime ()),-$ckey _length)): "; Key to participate in the operation $cryptkey = $keya. MD5 ($keya. $KEYC); $key _length = strlen ($cryptkey); PlainText, the first 10 bits are used to save the timestamp, the decryption validation data validity, 10 to 26 bits to save $keyb (key B),//decryption will pass this key to verify the integrity of the data//if it is decoded, will start from the $ckey_length bit, because the ciphertext before $ckey_ The length bit holds the dynamic key to ensure that the decryption is correct $string = $operation = = ' DECODE '? Base64_decode (substr ($string, $ckey _length)): sprintf ('%010d ', $expiry? $expiry + Time (): 0). substr (MD5 ($string. $keyb ), 0, (+). $string; $string _length = strlen ($string); $result = "; $box = Range (0, 255); $rndkey = Array (); Generate key book for ($i = 0; $i <= 255; $i + +) {$rndkey [$i] = Ord($cryptkey [$i% $key _length]); }//using a fixed algorithm to disrupt the key book, to increase randomness, as if complex, actually does not increase the intensity of the ciphertext for ($j = $i = 0; $i < $i) {$j = ($j + $box [$i] + $rndkey [$i]) % 256; $tmp = $box [$i]; $box [$i] = $box [$j]; $box [$j] = $tmp; }//Core plus decryption section for ($a = $j = $i = 0; $i < $string _length; $i + +) {$a = ($a + 1)% 256; $j = ($j + $box [$a])% 256; $tmp = $box [$a]; $box [$a] = $box [$j]; $box [$j] = $tmp; The key is derived from the key book and then converted into a character $result. = Chr (ord ($string [$i]) ^ ($box [($box [$a] + $box [$j])% 256])); if ($operation = = ' DECODE ') {//Verify data validation, see the format of unencrypted plaintext if (substr ($result, 0, ten) = = 0 | | substr ($result, 0, ten)-Ti Me ()-0) &&substr ($result, ten, +) = = substr (MD5 (substr ($result, $keyb), 0,)) {return substr ($r Esult, 26); } else {return '; }} else {//To keep the dynamic key in ciphertext, which is why the same plaintext, the production of different ciphertext can be decrypted after the reason//because the encrypted ciphertext may be some special characters, the copy process may be lost, so the Base64 code return $KEYC. Str_ Replace (' = ', ' ', Base64_encode ($result)); }} $str = ' abcdef '; $key = ' Www.jb51.net '; Echo $jm = Authcode ($str, ' ENCODE ', $key, 0); Encrypt echo ""; Echo authcode ($JM, ' DECODE ', $key, 0); Decryption?>
This way, when you set a cookie for user information, you cannot forge it:
<?php$user = Array ("UID" =--> $uid, "username" = $username); $user = Base64_encode (serialize ($user)); $user = Authcode ($user, ' ENCODE ', ' www.jb51.net ', 0); Encrypt Setcookie ("User", $user, Time () +3600*24); >
Ii. protection of cookies with cryptographic tokens
$hash = MD5 ($uid. Time ());//encryption token value $hash_expire =time () +3600*24;//encryption token value is one day validity $user = Array ("uid" = = $uid, "username" = > $username, "hash" = $hash); $user = Base64_encode (serialize ($user)); Setcookie ("User", $user, $hash _expr);
Then $hash and $hash_expire into the member table in the hash and hash_expire corresponding fields, you can also deposit nosql,session
When a user forges a cookie, the hash cannot be forged, the fake hash and the inconsistency in the database
Each time the user logs in, this hash_expire validity period does not update the hash value, the expiration is updated
More readers interested in PHP related content can view the topic: "PHP Curl Usage Summary", "PHP operation and operator Usage Summary", "PHP Network Programming Skills Summary", "PHP Basic Grammar Introductory Tutorial", "PHP operation Office Document tips summary (including word, excel,access,ppt), "PHP Date and Time usage summary", "PHP primer for Object-oriented programming", "PHP String Usage Summary", "Getting Started with Php+mysql database operations" and "PHP Common Database Operations Skills Summary"
I hope this article is helpful to you in PHP programming.
http://www.bkjia.com/PHPjc/1127926.html www.bkjia.com true http://www.bkjia.com/PHPjc/1127926.html techarticle PHP User Login Cookie Information security analysis, user login Cookie This article explains the security of cookie information that PHP users log in. Share to everyone for your reference, as follows: everyone ...