Home > Article > Backend Development > PHP Token (Token) Design_PHP Tutorial
PHP Token (Token) Design_PHP Tutorial
- WBOYOriginal
- 2016-07-21 15:53:39845browse
How to achieve the goal:
How to avoid repeated submissions?
Save an array in SESSION. This array stores tokens that have been successfully submitted. When processing in the background, first determine this Is the token in this array? If it exists, it means that it is a repeated submission.
How to check the origin?
Optional, when this token is generated, the current session_id is added. If someone else copies your html(token (a copy), when submitting, in theory, if the session_id contained in the token is not equal to the current session_id, it can be judged that this submission is an external submission.
How to match the action to be performed?
When submitting the token, you need to Write the action name of this token into this token, so that during processing, you can extract this action for comparison.
The GToken I wrote before could not meet the second point mentioned above, but it was modified today. After a while, I added function 2. Personally I think it’s okay.
Please take a look at the code. If you feel there is something unreasonable, please enlighten me! Thank you.
I found the encryption online. Method, slightly modified.
GEncrypt.inc.php:
class GEncrypt extends GSuperclass {
protected static function keyED($txt,$encrypt_key){
$encrypt_key = md5($encrypt_key);
$ctr= ; ctr=0; using
}
public static function encrypt($txt,$key){
//$encrypt_key = md5(rand(0,32000));
$encrypt_key = md5((( float) date("YmdHis") + rand(10000000000000000,99999999999999999)).rand(100000,999999));
$ctr=0;
$tmp = "" ; 0;$i
$tmp.= substr($encrypt_key,$ctr, 1). (Substr ($ txt, $ i, 1)^substr ($ Encrypt_key, $ ctr, 1)); ,$key));
}
public static function decrypt($txt,$key){
$txt = self::keyED( base64_decode($txt),$key); 🎜> $tmp = ""; > $i++;
}
? >
GToken.inc.php
Method:
a, granteToken Parameters: formName, which is the action name, key is the encryption/decryption key.
Returns a string in the form: encryption (formName:session_id)
b, isToken parameter: token is the result generated by grantToken, formName, action name, whether fromCheck checks the source, if it is true, it is also necessary to determine whether the session_id in the token is the same as the current session_id 1.
c, dropToken, after successfully executing an action, call this function and record the token into the session,
/**
* Principle: When requesting to allocate a token, find a way to allocate a unique token, base64( time + rand + action)
* If submitted, record this token to indicate that this token has been used and can be used accordingly It is used to avoid duplicate submissions.
*
*/
class GToken {
/**
* Get all current tokens
*
* @return array
*/
public static function getTokens(){
$tokens = $_SESSION[GConfig::SESSION_KEY_TOKEN ];
if (empty($tokens) && !is_array($tokens)) {
$tokens = array();
}
return $tokens;
}
/**
* Generate a new Token
*
* @param string $formName
* @param Encryption key $key
* @return string
*/
public static function granteToken($formName,$key = GConfig::ENCRYPT_KEY ){
$token = GEncrypt::encrypt($formName.":".session_id(),$key);
return $token;
}
/**
* Deleting a token actually adds an element to an array in the session, indicating that the token has been used before to avoid repeated submission of data.
*
* @param string $token
*/
public static function dropToken($token){
$tokens = self::getTokens();
$tokens[] = $token;
GSession::set(GConfig::SESSION_KEY_TOKEN ,$tokens);
}
/**
* Check whether it is the specified Token , if true, it will be judged whether the session_id attached to the token is the same as the current session_id.
* @param string $key encryption key
* @return boolean
*/
public static function isToken($token,$formName,$fromCheck = false,$key = GConfig::ENCRYPT_KEY){
$tokens = self::getTokens();
if (in_array($token,$tokens)) //如果存在,说明是以使用过的token
return false;
$source = split(":", GEncrypt::decrypt($token,$key));
if($fromCheck)
return $source[1] == session_id() && $source[0] == $formName;
else
return $source[0] == $formName;
}
}
?>
Example:
First take out the token from $_POST and use isToken to judge.
Downloading this file seems to be no problem. If you want to judge whether it is To execute the matching action, you can change the formName in isToken and run it. It works fine. There is no match. This proves that this is successful.
I have not verified whether repeated submissions can be avoided. It is too simple logic.
The rest is to determine whether the source check is working properly.
Copy the html generated by the above example to a local web page (to achieve the purpose of different domains), run it, and check for unknown sources , no action is executed (you need to set the third parameter of isToken to true).
Set the third parameter of isToken to false, submit, and the specified action is executed!
Okay, here we go So far, I don’t know if there are still BUGs in any places. This will need to be debugged and modified slowly in long-term use!