Home >Backend Development >PHP Tutorial >Use JWT (JSON Web Token) Blacklist to implement PHP security verification
Using JWT (JSON Web Token) Blacklist to implement PHP security verification
With the development of the Internet, the security of Web applications has become more and more important. When implementing security verification for PHP applications, we can use JWT (JSON Web Token) as a security verification solution. In order to increase the security of JWT, we can use Blacklist to manage expired Tokens.
JWT is an open standard (RFC 7519) for authentication and authorization. It consists of three parts: Header, Payload and Signature. Header contains algorithm and Token type information, Payload contains user data information, and Signature is generated based on Header, Payload and Secret Key signatures.
The process for authentication using JWT is as follows:
However, if the JWT is valid for a long time, once the Token is leaked, the attacker can always use the Token to perform illegal operations. In order to solve this problem, we can use Blacklist to manage expired Tokens. When the user logs out or changes their password, the relevant Tokens will be added to the Blacklist.
The following is a code example of using JWT Blacklist to implement PHP security verification:
// 定义 JWT 的 Secret Key $secretKey = "your_secret_key"; // 生成 JWT function generateJWT($userId) { global $secretKey; $header = json_encode(['typ' => 'JWT', 'alg' => 'HS256']); $payload = json_encode(['userId' => $userId]); $base64UrlHeader = base64UrlEncode($header); $base64UrlPayload = base64UrlEncode($payload); $signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $secretKey, true); $base64UrlSignature = base64UrlEncode($signature); return $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature; } // 验证 JWT 是否有效 function validateJWT($jwt) { global $secretKey; list($base64UrlHeader, $base64UrlPayload, $base64UrlSignature) = explode('.', $jwt); $signature = base64UrlDecode($base64UrlSignature); $expectedSignature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $secretKey, true); if ($signature !== $expectedSignature) { return false; } $payload = json_decode(base64UrlDecode($base64UrlPayload), true); // 在 Blacklist 中查找当前 Token 是否存在 if (isTokenBlacklisted($jwt)) { return false; } return $payload['userId']; } // 将字符串进行 Base64Url 编码 function base64UrlEncode($data) { $base64 = base64_encode($data); if ($base64 === false) { return false; } // 替换特殊字符 $base64Url = strtr($base64, '+/', '-_'); // 删除 = 字符 $base64Url = rtrim($base64Url, '='); return $base64Url; } // 将 Base64Url 编码的字符串解码 function base64UrlDecode($base64Url) { // 添加 = 字符 $base64 = str_pad(strtr($base64Url, '-_', '+/'), strlen($base64Url) % 4, '=', STR_PAD_RIGHT); return base64_decode($base64); } // 将 Token 加入 Blacklist function blacklistToken($jwt) { // 在数据库或缓存中将 Token 标记为失效 } // 判断 Token 是否在 Blacklist 中 function isTokenBlacklisted($jwt) { // 在数据库或缓存中查询 Token 是否存在 }
Using the above code example, we can easily implement JWT security verification and Blacklist management in PHP applications. By using JWT and Blacklist, we can increase the security of authentication and improve the protection of web applications.
Summary:
This article introduces how to use JWT and Blacklist to implement PHP security verification. Through JWT, we can securely transmit user information, and use Blacklist to manage expired Tokens, increasing the security of authentication. In actual development, we can optimize and expand the code according to actual needs to meet the security requirements in specific scenarios.
Reference link:
[1] JSON Web Token (JWT) - https://jwt.io/
[2] RFC 7519 - https://tools.ietf.org/html /rfc7519
The above is the detailed content of Use JWT (JSON Web Token) Blacklist to implement PHP security verification. For more information, please follow other related articles on the PHP Chinese website!