search

Home  >  Article  >  Backend Development  >  PHP security development: Add random string verification to prevent forged cross-site requests_PHP tutorial

PHP security development: Add random string verification to prevent forged cross-site requests_PHP tutorial

WBOY
WBOYOriginal
2016-07-21 15:12:561027browse

Yahoo’s way to deal with fake cross-site requests is to add a random string called .crumb to the form; Facebook has a similar solution, and its forms often have post_form_id and fb_dtsg.

A common and cheap prevention method is to add a random and frequently changing string to all forms that may involve user writing operations, and then check this string when processing the form. If this random string is associated with the current user identity, it will be more troublesome for the attacker to forge requests. Now the prevention methods are basically based on this method

Implementation of random string code
We follow this idea and copy the implementation of crumb. The code is as follows:

Copy the code The code is as follows:

class Crumb { 
    CONST SALT = "your-secret-salt";                                                            
    static $ttl = 7200;                                                                                           
    static public function challenge($data) {   
        return hash_hmac('md5', $data, self::SALT);   
    }                                                                                                                
    static public function issueCrumb($uid, $action = -1) {   
        $i = ceil(time() / self::$ttl);   
        return substr(self::challenge($i . $action . $uid), -12, 10);   
    }                                                                                                                
    static public function verifyCrumb($uid, $crumb, $action = -1) {   
        $i = ceil(time() / self::$ttl);                                                                              
        if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb ||   
            substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb)   
            return true;                                                                                       
        return false;   
    }                                                                                          🎜>

$uid in the code represents the user’s unique identifier, and $ttl represents the validity time of this random string.

Application example

Construct a form
Insert a hidden random string crumb into the form


Copy code The code is as follows:






Process form demo.php
Check crumb


Copy the code The code is as follows:
if(Crumb::verifyCrumb($uid, $_POST['crumb'])) {
//Process the form according to normal flow
} else {
// Crumb verification failed, error prompt process
}


This article is from Baozi Blog

http://www.bkjia.com/PHPjc/326620.html

truehttp: //www.bkjia.com/PHPjc/326620.htmlTechArticleYahoo’s way to deal with fake cross-site requests is to add a random string called .crumb to the form; Facebook also has Similar solutions, there are often post_form_id and fb_dtsg in its form. ...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Detailed example analysis of PHP recursive algorithm_PHP tutorialNext article:Detailed example analysis of PHP recursive algorithm_PHP tutorial

Related articles

See more