用户登录之cookie信息安全小结-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

用户登录之cookie信息安全小结

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 20, 2016 pm 01:02 PM

php

用户登录之cookie信息安全细节

大家都知道用户登陆后，用户信息一般会选择保存在cookie里面，因为cookie是保存客户端，
并且cookie可以在客户端用浏览器自由更改，这样将会造成用户cookie存在伪造的危险，从而可能使伪造cookie者登录任意用户的账户。

下面就说说平常一些防止用户登录cookie信息安全的方法：

一、cookie信息加密法

cookie信息加密法即用一种加密方法，加密用户信息，然后在存入cookie，这样伪造者即使得到cookie也只能在cookie有效期内对这个cookie利用，无法另外伪造cookie信息。

这里附上一个加密函数：

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {   

    // 动态密匙长度，相同的明文会生成不同密文就是依靠动态密匙   

    $ckey_length = 4;   
    // 密匙   

    $key = md5($key ? $key : $GLOBALS['discuz_auth_key']);   
    // 密匙a会参与加解密   

    $keya = md5(substr($key, 0, 16));   

    // 密匙b会用来做数据完整性验证   

    $keyb = md5(substr($key, 16, 16));   

    // 密匙c用于变化生成的密文   

    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): 

substr(md5(microtime()), -$ckey_length)) : '';   

    // 参与运算的密匙   

    $cryptkey = $keya.md5($keya.$keyc);   

    $key_length = strlen($cryptkey);   

    // 明文，前10位用来保存时间戳，解密时验证数据有效性，10到26位用来保存$keyb(密匙b)， 

//解密时会通过这个密匙验证数据完整性   

    // 如果是解码的话，会从第$ckey_length位开始，因为密文前$ckey_length位保存 动态密匙，以保证解密正确   

    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) :  

sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;   

    $string_length = strlen($string);   

    $result = '';   

    $box = range(0, 255);   

    $rndkey = array();   

    // 产生密匙簿   

    for($i = 0; $i  0) &&  

substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {   

            return substr($result, 26);   

        } else {   

            return '';   

        }   

    } else {   

        // 把动态密匙保存在密文里，这也是为什么同样的明文，生产不同密文后能解密的原因   

        // 因为加密后的密文可能是一些特殊字符，复制过程可能会丢失，所以用base64编码   

        return $keyc.str_replace('=', '', base64_encode($result));   

    }   

} 



$str = 'abcdef'; 

$key = 'www.scutephp.com'; 

echo $jm = authcode($str,'ENCODE',$key,0); //加密 
echo "
";

echo authcode($jm ,'DECODE',$key,0); //解密

这样当设置用户信息的cookie时，就无法对其进行伪造：

$user = array("uid"=-->$uid,"username"=>$username);

$user = base64_encode(serialize($user));
$user =  authcode($user,'ENCODE','www.phpskill.com',0); //加密 
setcookie("user",$user,time()+3600*24);

二、用加密令牌对cookie进行保护

$hash = md5($uid.time());//加密令牌值
$hash_expire =time()+3600*24;//加密令牌值为一天有效期
$user = array("uid"=>$uid,"username"=>$username,"hash"=>$hash);

$user = base64_encode(serialize($user));

setcookie("user",$user,$hash_expr);

然后把$hash和$hash_expire 存入member表中hash和hash_expire对应字段中,也可以存入nosql，session

用户伪造cookie时，hash无法伪造,伪造的hash和数据库中的不一致

用户每次登陆，这个hash_expire有效期内不更新hash值，过期则更新

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

PHP Email: Step-by-Step Sending GuideMay 09, 2025 am 12:14 AM

PHPisusedforsendingemailsduetoitsintegrationwithservermailservicesandexternalSMTPproviders,automatingnotificationsandmarketingcampaigns.1)SetupyourPHPenvironmentwithawebserverandPHP,ensuringthemailfunctionisenabled.2)UseabasicscriptwithPHP'smailfunct

How to Send Email via PHP: Examples & CodeMay 09, 2025 am 12:13 AM

The best way to send emails is to use the PHPMailer library. 1) Using the mail() function is simple but unreliable, which may cause emails to enter spam or cannot be delivered. 2) PHPMailer provides better control and reliability, and supports HTML mail, attachments and SMTP authentication. 3) Make sure SMTP settings are configured correctly and encryption (such as STARTTLS or SSL/TLS) is used to enhance security. 4) For large amounts of emails, consider using a mail queue system to optimize performance.

Advanced PHP Email: Custom Headers & FeaturesMay 09, 2025 am 12:13 AM

CustomheadersandadvancedfeaturesinPHPemailenhancefunctionalityandreliability.1)Customheadersaddmetadatafortrackingandcategorization.2)HTMLemailsallowformattingandinteractivity.3)AttachmentscanbesentusinglibrarieslikePHPMailer.4)SMTPauthenticationimpr

Guide to Sending Emails with PHP & SMTPMay 09, 2025 am 12:06 AM

Sending mail using PHP and SMTP can be achieved through the PHPMailer library. 1) Install and configure PHPMailer, 2) Set SMTP server details, 3) Define the email content, 4) Send emails and handle errors. Use this method to ensure the reliability and security of emails.

What is the best way to send an email using PHP?May 08, 2025 am 12:21 AM

ThebestapproachforsendingemailsinPHPisusingthePHPMailerlibraryduetoitsreliability,featurerichness,andeaseofuse.PHPMailersupportsSMTP,providesdetailederrorhandling,allowssendingHTMLandplaintextemails,supportsattachments,andenhancessecurity.Foroptimalu

Best Practices for Dependency Injection in PHPMay 08, 2025 am 12:21 AM

The reason for using Dependency Injection (DI) is that it promotes loose coupling, testability, and maintainability of the code. 1) Use constructor to inject dependencies, 2) Avoid using service locators, 3) Use dependency injection containers to manage dependencies, 4) Improve testability through injecting dependencies, 5) Avoid over-injection dependencies, 6) Consider the impact of DI on performance.

PHP performance tuning tips and tricksMay 08, 2025 am 12:20 AM

PHPperformancetuningiscrucialbecauseitenhancesspeedandefficiency,whicharevitalforwebapplications.1)CachingwithAPCureducesdatabaseloadandimprovesresponsetimes.2)Optimizingdatabasequeriesbyselectingnecessarycolumnsandusingindexingspeedsupdataretrieval.

PHP Email Security: Best Practices for Sending EmailsMay 08, 2025 am 12:16 AM

ThebestpracticesforsendingemailssecurelyinPHPinclude:1)UsingsecureconfigurationswithSMTPandSTARTTLSencryption,2)Validatingandsanitizinginputstopreventinjectionattacks,3)EncryptingsensitivedatawithinemailsusingOpenSSL,4)Properlyhandlingemailheaderstoa

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055523 fails to install in Windows 11?

4 weeks agoByDDD

How to fix KB5055518 fails to install in Windows 10?

4 weeks agoByDDD

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks agoByDDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

How to fix KB5055612 fails to install in Windows 10?

3 weeks agoByDDD

Hot Tools

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

SublimeText3 Linux new version

SublimeText3 Linux latest version

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software