PHPToken (token) design

Source: Internet
Author: User
: This article mainly introduces the PHPToken (token) design. if you are interested in the PHP Tutorial, refer to it. Reprinted link: http://www.jb51.net/article/13756.htm

PHP Token design goals: avoid repeated data submission. check whether an external commit matches the action to be executed. (if multiple logics are implemented on the same page, such as adding, deleting, and modifying them, put them in a php file) the token mentioned here is a hidden FORM item (type = hidden) written to FORM when the page is displayed ). the token cannot be in plain text. if it is in plain text, it is too dangerous to use a certain encryption method. the ciphertext must be reversible. the algorithm is very idiotic, so I adopted a ready-made method on the Internet.

How to avoid repeated submission?
You need to store an array in the SESSION, which is saved as the token successfully submitted. when processing in the background, first determine whether the token is in this array. If yes, it indicates repeated submission.
How do I check the routes?
Optional. The current session_id is added when the token is generated. if someone else copies your html (token one burst copy), the session_id contained in the token is not equal to the current session_id theoretically during submission, you can determine that this submission is an external commit.
How to match the action to be executed?
During the token operation, you need to write the token action name into the token. in this way, you can parse the action and compare it during processing.

GEncrypt. inc. php:

  
Method:
(1) granteToken parameter: formName, that is, action name. key is the encryption/decryption key.
Returns a string in the format of encryption (formName: session_id)
(2) isToken parameter: the result generated by the token is granteToken, formName, action name, fromCheck. if it is true, check whether the session_id in the token is the same as the current session_id.
(3) dropToken: When an action is successfully executed, call this function to record the token to the session,

GToken. inc. php

  

Retrieve the token from $ _ POST and use isToken to judge the token.

If you want to determine whether the matching action is executed, you can change the formName in isToken to run it. it is very good and does not match. this proves successful.

The above introduces the PHP Token design, including the content, hope to be helpful to friends who are interested in the PHP Tutorial.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.