User Login Cookie Information security one or two, cookie information security
We all know that after the user login, the user information will generally choose to save in the cookie, because the cookie is to save the client,
and cookies can be freely changed by the client in the browser, which will cause the user cookie to be in danger of forgery, which may cause the counterfeit cookie to be logged to any user's account.
Let's talk about the usual. Ways to prevent users from logging on to cookie information security:
I. Cookie information encryption method
The cookie information encryption method encrypts the user information by encrypting it, and then the cookie is deposited so that the forger can only use the cookie for the duration of the cookie and cannot falsify the cookie information even if the cookie is obtained.
A cryptographic function is attached here:
0) &&substr($result, 10, 16) = =substr(MD5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } Else { return''; } } Else { //Save the dynamic key in the ciphertext, this is why the same plaintext, the production of different ciphertext can be decrypted after the reason//because the encrypted ciphertext may be some special characters, the copying process may be lost, so the base64 encoding return $KEYC.Str_replace('=', '',Base64_encode($result)); } } $str= ' abcdef '; $key= ' www.phpskill.com '; Echo $JM= Authcode ($str, ' ENCODE ',$key, 0);//EncryptEcho"";EchoAuthcode ($JM, ' DECODE ',$key, 0);//decryption?>
This way, when you set a cookie for user information, you cannot forge it:
$uid, "username" =$username); $user Base64_encode (serialize($user)); $user = authcode ($user//setcookie("User",$user ,time () +3600*24);? >
Ii. protection of cookies with cryptographic tokens
$hash MD5 ($uid. Time ()); // Encrypt token value $hash _expire =time () +3600*24; // Encryption token value is one day validity $user Array ("UID" =$uid, "username" and "$username", "hash" =$hash); $user Base64_encode (serialize($user)); Setcookie ("User",$user,$hash _expr); $hash and $hash_expire are stored in the member table in the hash and hash_expire corresponding fields, can also be stored in Nosql,session user forged cookie, hash cannot be forged , forged hash and inconsistent in the database user each login, this hash_expire validity period does not update the hash value, the expiration is updated
PHP Pure Technology Group: 323899029
Original reproduced in: http://www.phpskill.com/html/show-1-4424-1.html
http://www.bkjia.com/PHPjc/949211.html www.bkjia.com true http://www.bkjia.com/PHPjc/949211.html techarticle User Login Cookie Information security one or two, cookie information security we all know that after the user login, user information will generally choose to save in the cookie, because the cookie is to save the client, ...