PHP security development: Add random string verification to prevent forged cross-site requests_PHP tutorial

Yahoo’s way to deal with fake cross-site requests is to add a random string called .crumb to the form; Facebook has a similar solution, and its forms often have post_form_id and fb_dtsg.

A common and cheap prevention method is to add a random and frequently changing string to all forms that may involve user writing operations, and then check this string when processing the form. If this random string is associated with the current user identity, it will be more troublesome for the attacker to forge requests. Now the prevention methods are basically based on this method

Implementation of random string code
We follow this idea and copy the implementation of crumb. The code is as follows:

Copy the code The code is as follows:

class Crumb { 
    CONST SALT = "your-secret-salt";                                                            
    static $ttl = 7200;                                                                                           
    static public function challenge($data) {   
        return hash_hmac('md5', $data, self::SALT);   
    }                                                                                                                
    static public function issueCrumb($uid, $action = -1) {   
        $i = ceil(time() / self::$ttl);   
        return substr(self::challenge($i . $action . $uid), -12, 10);   
    }                                                                                                                
    static public function verifyCrumb($uid, $crumb, $action = -1) {   
        $i = ceil(time() / self::$ttl);                                                                              
        if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb ||   
            substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb)   
            return true;                                                                                       
        return false;   
    }                                                                                          🎜>

$uid in the code represents the user’s unique identifier, and $ttl represents the validity time of this random string.

Application example

Construct a form
Insert a hidden random string crumb into the form

Copy code The code is as follows:

Process form demo.php

Check crumb

Copy the code The code is as follows:

if(Crumb::verifyCrumb($uid, $_POST['crumb'])) {
//Process the form according to normal flow
} else {
// Crumb verification failed, error prompt process
}


This article is from Baozi Blog