: This article mainly introduces the PHPToken (token) design. if you are interested in the PHP Tutorial, refer to it. Reprinted link: http://www.jb51.net/article/13756.htm
PHP Token design goals: avoid repeated data submission. check whether an external commit matches the action to be executed. (if multiple logics are implemented on the same page, such as adding, deleting, and modifying them, put them in a php file) the token mentioned here is a hidden FORM item (type = hidden) written to FORM when the page is displayed ). the token cannot be in plain text. if it is in plain text, it is too dangerous to use a certain encryption method. the ciphertext must be reversible. the algorithm is very idiotic, so I adopted a ready-made method on the Internet.
How to avoid repeated submission?
You need to store an array in the SESSION, which is saved as the token successfully submitted. when processing in the background, first determine whether the token is in this array. If yes, it indicates repeated submission.
How do I check the routes?
Optional. The current session_id is added when the token is generated. if someone else copies your html (token one burst copy), the session_id contained in the token is not equal to the current session_id theoretically during submission, you can determine that this submission is an external commit.
How to match the action to be executed?
During the token operation, you need to write the token action name into the token. in this way, you can parse the action and compare it during processing.
GEncrypt. inc. php:
Method:
(1) granteToken parameter: formName, that is, action name. key is the encryption/decryption key.
Returns a string in the format of encryption (formName: session_id)
(2) isToken parameter: the result generated by the token is granteToken, formName, action name, fromCheck. if it is true, check whether the session_id in the token is the same as the current session_id.
(3) dropToken: When an action is successfully executed, call this function to record the token to the session,
GToken. inc. php
Retrieve the token from $ _ POST and use isToken to judge the token.
If you want to determine whether the matching action is executed, you can change the formName in isToken to run it. it is very good and does not match. this proves successful.
The above introduces the PHP Token design, including the content, hope to be helpful to friends who are interested in the PHP Tutorial.