Use JWT (JSON Web Token) Blacklist to implement PHP security verification

Using JWT (JSON Web Token) Blacklist to implement PHP security verification

With the development of the Internet, the security of Web applications has become more and more important. When implementing security verification for PHP applications, we can use JWT (JSON Web Token) as a security verification solution. In order to increase the security of JWT, we can use Blacklist to manage expired Tokens.

JWT is an open standard (RFC 7519) for authentication and authorization. It consists of three parts: Header, Payload and Signature. Header contains algorithm and Token type information, Payload contains user data information, and Signature is generated based on Header, Payload and Secret Key signatures.

The process for authentication using JWT is as follows:

1. Users log in using their username and password.
2. The server verifies the user's username and password and generates a JWT.
3. The server sends the JWT to the client.
4. The client stores the JWT in Cookie or Local Storage.
5. When the client sends a request, it brings JWT in the header of the request.
6. After the server receives the request, it verifies the validity of the JWT. If the verification passes, it continues to process the request.

However, if the JWT is valid for a long time, once the Token is leaked, the attacker can always use the Token to perform illegal operations. In order to solve this problem, we can use Blacklist to manage expired Tokens. When the user logs out or changes their password, the relevant Tokens will be added to the Blacklist.

The following is a code example of using JWT Blacklist to implement PHP security verification:

// 定义 JWT 的 Secret Key
$secretKey = "your_secret_key";

// 生成 JWT
function generateJWT($userId) {
    global $secretKey;

    $header = json_encode(['typ' => 'JWT', 'alg' => 'HS256']);
    $payload = json_encode(['userId' => $userId]);

    $base64UrlHeader = base64UrlEncode($header);
    $base64UrlPayload = base64UrlEncode($payload);

    $signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $secretKey, true);
    $base64UrlSignature = base64UrlEncode($signature);

    return $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
}

// 验证 JWT 是否有效
function validateJWT($jwt) {
    global $secretKey;

    list($base64UrlHeader, $base64UrlPayload, $base64UrlSignature) = explode('.', $jwt);

    $signature = base64UrlDecode($base64UrlSignature);
    $expectedSignature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $secretKey, true);

    if ($signature !== $expectedSignature) {
        return false;
    }

    $payload = json_decode(base64UrlDecode($base64UrlPayload), true);

    // 在 Blacklist 中查找当前 Token 是否存在
    if (isTokenBlacklisted($jwt)) {
        return false;
    }

    return $payload['userId'];
}

// 将字符串进行 Base64Url 编码
function base64UrlEncode($data) {
    $base64 = base64_encode($data);
    if ($base64 === false) {
        return false;
    }

    // 替换特殊字符
    $base64Url = strtr($base64, '+/', '-_');

    // 删除 = 字符
    $base64Url = rtrim($base64Url, '=');

    return $base64Url;
}

// 将 Base64Url 编码的字符串解码
function base64UrlDecode($base64Url) {
    // 添加 = 字符
    $base64 = str_pad(strtr($base64Url, '-_', '+/'), strlen($base64Url) % 4, '=', STR_PAD_RIGHT);

    return base64_decode($base64);
}

// 将 Token 加入 Blacklist
function blacklistToken($jwt) {
    // 在数据库或缓存中将 Token 标记为失效
}

// 判断 Token 是否在 Blacklist 中
function isTokenBlacklisted($jwt) {
    // 在数据库或缓存中查询 Token 是否存在
}

Using the above code example, we can easily implement JWT security verification and Blacklist management in PHP applications. By using JWT and Blacklist, we can increase the security of authentication and improve the protection of web applications.

Summary:
This article introduces how to use JWT and Blacklist to implement PHP security verification. Through JWT, we can securely transmit user information, and use Blacklist to manage expired Tokens, increasing the security of authentication. In actual development, we can optimize and expand the code according to actual needs to meet the security requirements in specific scenarios.

Reference link:
[1] JSON Web Token (JWT) - https://jwt.io/
[2] RFC 7519 - https://tools.ietf.org/html /rfc7519

The above is the detailed content of Use JWT (JSON Web Token) Blacklist to implement PHP security verification. For more information, please follow other related articles on the PHP Chinese website!