Home > Article > Backend Development > www.stocke.com.cn PHP Token Design
Copy the code The code is as follows:
Copy the code The code is as follows:
The above introduces the PHP Token design of www.stocke.com.cn, including the content of www.stocke.com.cn. I hope it will be helpful to friends who are interested in PHP tutorials.
class GEncrypt extends GSuperclass {
protected static function keyED($txt,$encrypt_key){
$encrypt_key = md5($encrypt_key);
$ctr=0;
$tmp = ""; i=0;$i
$tmp.= substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1); t,$key){
32000));
$encrypt_key = md5(((float) date("YmdHis") + rand(10000000000000000,99999999999999999)).rand(100000,999999));
$ctr=0;
$tmp = ""; For ($ i = 0; $ i & lt; strlen ($ txt); $ i ++) {
IF ($ ctr == Strlen ($ Encrypt_Key)) $ ctr = 0; ctr,1) . (substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1)); $key) );
}
public static function decrypt($txt,$key){
$txt = self::keyED( base64_decode($txt),$key);
$tmp = ""; for ($i=0 ;$i
Method:
a, granteToken Parameters: formName, which is the action name, key is the encryption/decryption key.
Returns a string in the form: encryption (formName: session_id)
b, isToken Parameters: token is the result generated by grantToken, formName, action name, whether fromCheck checks the source, and if it is true, it also determines whether the session_id in the token is the same as the current session_id.
c, dropToken, when an action is successfully executed, call this Function, record this token into the session,
/**
* Principle: When requesting to allocate a token, find a way to allocate a unique token, base64( time + rand + action)
* If submitted, record this token, indicating that this token has been used before, and you can follow it to avoid duplication submit.
*
*/
class GToken {
/**
* Get all the current tokens */
public static function getTokens(){
$tokens = $_SESSION[GConfig::SESSION_KEY_TOKEN ];
if (empty($tokens) && !is_array($tokens)) {
$tokens = array();
}
return $tokens;
}
/**
* Generate a new Token */
public static function granteToken($formName,$key = GConfig::ENCRYPT_KEY ){
$token = GEncrypt::encrypt($formName.":".session_id(),$key);
return $token;
}
/**
* Deleting a token actually adds an element to an array in the session, indicating that the token has been used before to avoid repeated submission of data.
* */
public static function dropToken($token){
$tokens = self::getTokens();
$tokens[] = $token;
GSession::set(GConfig::SESSION_KEY_TOKEN ,$tokens);
}
/**
medium additional Whether the session_id is the same as the current session_id.
* @param string $key encryption key
* @return boolean
*/
public static function isToken($token,$formName,$fromCheck = false,$key = GConfig::ENCRYPT_KEY){
$tokens = self::getTokens();
if (in_array($token,$tokens)) //如果存在,说明是以使用过的token
return false;
$source = split(":", GEncrypt::decrypt($token,$key));
if($fromCheck)
return $source[1] == session_id() && $source[0] == $formName;
else
return $source[0] == $formName;
}
}
?>
Example:
First take out the token from $_POST and use isToken to judge.
Downloading this file seems to be no problem.
If you want to judge whether it is a matching action, you can change the formName in isToken. Running, very good, no matching. Prove this success.
Whether it can avoid repeated submission, I have not verified, it is too simple logic.
The rest is to judge whether the source check is working normally.
Generate the above example html copy to a local web page (to achieve the purpose of different domains), run, check the source is unknown, and no action is performed (the third parameter of isToken needs to be set to true).
Set the third parameter of isToken Set it to false, submit, and the specified action is executed!
Okay, so far, I don’t know if there are still BUGs somewhere, which will need to be debugged and modified slowly in long-term use!