Small moves in php to prevent forgery of cross-site requests
Source: Internet
Author: User
It is difficult to prevent the forgery of cross-site requests, and the danger is huge. attackers can use this method to prank, send spam information, and delete data. Cross-Site Request Forgery
It is difficult to prevent the forgery of cross-site requests, and the danger is huge. attackers can use this method to prank, send spam information, and delete data. Common forms of such attacks include:
Counterfeit links to entice users to click, or allow users to access without knowledge
Counterfeit forms to lure users into submitting. Forms can be hidden and disguised as images or links.
A common and inexpensive precaution is to add a random and frequently changed string to all forms that may involve user write operations, then, check the string when processing the form. If this random string is associated with the current user identity, it will be troublesome for attackers to forge requests.
Yahoo's solution to counterfeit cross-site requests is to add a random string named. crumb to the form. facebook also has a similar solution, in which there are usually post_form_id and fb_dtsg.
Random string code implementation
We follow this idea to implement a crumb. the code is as follows:
The code is as follows:
Class Crumb {
Const salt = "your-secret-salt ";
Static $ ttl = 7200;
Static public function challenge ($ data ){
Return hash_hmac ('md5', $ data, self: SALT );
}
Static public function issueCrumb ($ uid, $ action =-1 ){
$ I = ceil (time ()/self: $ ttl );
Return substr (self: challenge ($ I. $ action. $ uid),-12, 10 );
}
Static public function verifyCrumb ($ uid, $ crumb, $ action =-1 ){
$ I = ceil (time ()/self: $ ttl );
If (substr (self: challenge ($ I. $ action. $ uid),-12, 10) = $ crumb |
Substr (self: challenge ($ I-1). $ action. $ uid),-12, 10) ==$ crumb)
Return true;
Return false;
}
}
In the code, $ uid indicates the unique identifier of the user, and $ ttl indicates the validity period of the random string.
Application example
Construct a form
Insert a hidden random string crumb into the form.
The code is as follows:
Process form demo. php
Check crumb
The code is as follows:
If (Crumb: verifyCrumb ($ uid, $ _ POST ['Crumb']) {
// Process the form according to the normal process
} Else {
// Crumb verification failed, error prompt process
}
?>
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
