PHP development: How to use JWT to protect user authentication information

In today's network application development, protecting the user's identity authentication information is crucial. JWT (JSON Web Token) is a secure identity authentication method that uses JSON format to encode authentication information and uses signatures to protect data integrity. This article will introduce how to use JWT to protect user authentication information in PHP development.

1. Installing JWT

First, we need to install JWT in the PHP project. You can use the Composer tool to install JWT, the command is as follows:

composer require firebase/php-jwt

2. Generate JWT

After the user successfully authenticates, we need to generate the JWT and return it to the client end. In PHP, you can use the following code to generate a JWT:

use FirebaseJWTJWT;

$payload = array(
    "user_id" => 1234,
    "email" => "john@doe.com"
);

$secret_key = "secret_key";
$jwt = JWT::encode($payload, $secret_key);

Use the JWT::encode() method to generate a JWT. The first parameter is an associative array containing user information, and the second parameter is the key used to sign the JWT. The generated JWT can be returned directly to the client.

3. Verify JWT

Once the client receives the JWT, it stores the JWT locally and sends it with every request so that the server can authenticate the user . In PHP, to validate a JWT, you need to use the following code:

use FirebaseJWTJWT;

$jwt = "generated_jwt";

$secret_key = "secret_key";
try {
    $decoded = JWT::decode($jwt, $secret_key, array("HS256"));
    $user_id = $decoded->user_id;
    $email = $decoded->email;
} catch (Exception $e) {
    // JWT 验证失败
}

Use the JWT::decode() method to validate a JWT. The first parameter is the JWT to be verified, the second parameter is the key used to sign the JWT, and the third parameter specifies the signing algorithm used. If the JWT validation is successful, an object $decoded containing the user information will be returned.

4. Custom validity and expiration time

By default, JWT does not contain a validity period or expiration time, so it can be used permanently. In order to better protect the user's identity authentication information, we can set the validity period and expiration time of JWT.

use FirebaseJWTJWT;

$payload = array(
    "user_id" => 1234,
    "email" => "john@doe.com",
    "exp" => time() + 3600,  // 有效期为 1 小时
    "nbf" => time() + 30  // 在 30 秒内无效
);

$secret_key = "secret_key";
$jwt = JWT::encode($payload, $secret_key);

In the above code, we declare the validity and expiration time of the JWT by setting "exp" (validity period) and "nbf" (not before). When validating a JWT using the JWT::decode() method, an exception will be thrown if the JWT has expired or has not yet entered its validity period.

5. Summary

Using JWT in PHP development is a secure authentication method that can help us better protect user authentication information. We can use the PHP-JWT library to generate and verify JWT, and can set validity and expiration times to increase security. To ensure the security of our application, we must handle JWT's keys with care and have proper error handling.

The above is the detailed content of PHP development: How to use JWT to protect user authentication information. For more information, please follow other related articles on the PHP Chinese website!