2015-04-23 12:16:58
Today to view the project deployed on the SAE, suddenly see the SAE's log, found that there are several abnormal links in the request verification code, so suddenly germination to do a prevent verification code crawl function. This feature prevents the theft and decryption of verification codes and prevents unwanted malicious attacks and hacks.
Ideas are as follows:
Validating access Links before code generation class calls
1. Verify access from the page with that
2. Next verify the Access address
Steps to resolve:
1. The use of PHP features to determine whether access to the verification code from a page is basically unrealistic, PHP does not seem to have this function (I did not find), so we can only use PHP to achieve indirect judgment, here we use the session to verify whether from the page, Because the number of pages required for verification code is very small, the place where we set the session is not too much, it is relatively acceptable.
2. Verify the access address, this is relatively simple, we can use PHP provided by the $_server function, remove the access address.
3. Set the validation value in the session after the verification code is generated so that it can no longer be verified the next time.
The specific code (you can modify this to provide only one idea according to your needs):
For example
1. Set $_session[' Check ']=true on the page that needs to load the verification code (or in the Controller layer function);
2. Call validation before calling the verification code
Basically this two-step operation, you can limit the verification code, in this example, through the extranet access to the site when the verification code will be displayed, but through the external network directly access or crawl verification code will be denied, through the local access to the verification code is normal.
Native access
External network access
Extranet Access Login