Home  >  Article  >  Backend Development  >  www.stocke.com.cn PHP Token Design

www.stocke.com.cn PHP Token Design

WBOY
WBOYOriginal
2016-07-29 08:37:231562browse

How to achieve the goal:
How to avoid repeated submissions?
Save an array in the SESSION. This array stores the successfully submitted tokens. During background processing, first determine whether the token is in this array. If it exists, indicate that it is Repeat submission.
How to check the source?
Optional, when this token is generated, the current session_id is added. If someone else copies your html (token copy), when submitting, theoretically the session_id contained in the token will be If it is not equal to the current session_id, you can judge that this submission is an external submission.
How to match the action to be executed?
When tokenizing, you need to write the action name of this token into the token, so that when processing, Just solve this action and compare it.
The GToken I wrote before could not meet the second point mentioned above. I modified it today and added function 2. Personally, I think it is okay.
Please look at the code and see where it feels. If there is anything unreasonable, please let me know! Thank you.
I found a method online for encryption and made some modifications.
GEncrypt.inc.php:

Copy the code The code is as follows:


class GEncrypt extends GSuperclass {
protected static function keyED($txt,$encrypt_key){
$encrypt_key = md5($encrypt_key);
$ctr=0;
         $tmp = "";                                                          ​i=0;$i if ($ctr==strlen($encrypt_key)) $ctr=0;
$tmp.= substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1);                                                                                                                                          ​ t,$key){
                                                                                         32000));
$encrypt_key = md5(((float) date("YmdHis") + rand(10000000000000000,99999999999999999)).rand(100000,999999));
$ctr=0;
$tmp = ""; For ($ i = 0; $ i & lt; strlen ($ txt); $ i ++) {
IF ($ ctr == Strlen ($ Encrypt_Key)) $ ctr = 0; ctr,1) . (substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1)); $key) );
}
public static function decrypt($txt,$key){
$txt = self::keyED( base64_decode($txt),$key);
$tmp = ""; for ($i=0 ;$iGToken.inc.php
Method:
a, granteToken Parameters: formName, which is the action name, key is the encryption/decryption key.
Returns a string in the form: encryption (formName: session_id)
b, isToken Parameters: token is the result generated by grantToken, formName, action name, whether fromCheck checks the source, and if it is true, it also determines whether the session_id in the token is the same as the current session_id.
c, dropToken, when an action is successfully executed, call this Function, record this token into the session,

Copy the code The code is as follows:


/**
* Principle: When requesting to allocate a token, find a way to allocate a unique token, base64( time + rand + action)
* If submitted, record this token, indicating that this token has been used before, and you can follow it to avoid duplication submit.
*
*/ 
class GToken { 
    /**
         * Get all the current tokens                                                                               */ 
    public static function getTokens(){ 
        $tokens = $_SESSION[GConfig::SESSION_KEY_TOKEN ]; 
        if (empty($tokens) && !is_array($tokens)) { 
            $tokens = array(); 
        } 
        return $tokens; 
    } 
    /**
         * Generate a new Token                                                                                                                   */ 
    public static function granteToken($formName,$key = GConfig::ENCRYPT_KEY ){ 
        $token = GEncrypt::encrypt($formName.":".session_id(),$key); 
        return $token; 
    } 
    /**
* Deleting a token actually adds an element to an array in the session, indicating that the token has been used before to avoid repeated submission of data.
      *                                                                  */ 
    public static function dropToken($token){ 
        $tokens = self::getTokens(); 
        $tokens[] = $token; 
        GSession::set(GConfig::SESSION_KEY_TOKEN ,$tokens); 
    } 
    /**
                                                                                                                                                                     medium additional Whether the session_id is the same as the current session_id.
* @param string $key encryption key
* @return boolean
*/ 
    public static function isToken($token,$formName,$fromCheck = false,$key = GConfig::ENCRYPT_KEY){ 
        $tokens = self::getTokens(); 
        if (in_array($token,$tokens)) //如果存在,说明是以使用过的token 
            return false; 
        $source = split(":", GEncrypt::decrypt($token,$key)); 
        if($fromCheck) 
            return $source[1] == session_id() && $source[0] == $formName; 
        else 
            return $source[0] == $formName; 
    } 

?> 

Example:
First take out the token from $_POST and use isToken to judge.
 PHP Token令牌设计 Downloading this file seems to be no problem.
If you want to judge whether it is a matching action, you can change the formName in isToken. Running, very good, no matching. Prove this success.
Whether it can avoid repeated submission, I have not verified, it is too simple logic.
The rest is to judge whether the source check is working normally.
Generate the above example html copy to a local web page (to achieve the purpose of different domains), run, check the source is unknown, and no action is performed (the third parameter of isToken needs to be set to true).
Set the third parameter of isToken Set it to false, submit, and the specified action is executed!
Okay, so far, I don’t know if there are still BUGs somewhere, which will need to be debugged and modified slowly in long-term use!

The above introduces the PHP Token design of www.stocke.com.cn, including the content of www.stocke.com.cn. I hope it will be helpful to friends who are interested in PHP tutorials.

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn