用户登录之cookie信息安全一二事,cookie信息安全
大家都知道用户登陆后,用户信息一般会选择保存在cookie里面,因为cookie是保存客户端,
并且cookie可以在客户端用浏览器自由更改,这样将会造成用户cookie存在伪造的危险,从而可能使伪造cookie者登录任意用户的账户。
下面就说说平常一些防止用户登录cookie信息安全的方法:
一、cookie信息加密法
cookie信息加密法即用一种加密方法,加密用户信息,然后在存入cookie,这样伪造者即使得到cookie也只能在cookie有效期内对这个cookie利用,无法另外伪造cookie信息。
这里附上一个加密函数:
<!--?<span>php </span><span>function</span> authcode(<span>$string</span>, <span>$operation</span> = 'DECODE', <span>$key</span> = '', <span>$expiry</span> = 0<span>) { </span><span>//</span><span> 动态密匙长度,相同的明文会生成不同密文就是依靠动态密匙 </span> <span>$ckey_length</span> = 4<span>; </span><span>//</span><span> 密匙 </span> <span>$key</span> = <span>md5</span>(<span>$key</span> ? <span>$key</span> : <span>$GLOBALS</span>['discuz_auth_key'<span>]); </span><span>//</span><span> 密匙a会参与加解密 </span> <span>$keya</span> = <span>md5</span>(<span>substr</span>(<span>$key</span>, 0, 16<span>)); </span><span>//</span><span> 密匙b会用来做数据完整性验证 </span> <span>$keyb</span> = <span>md5</span>(<span>substr</span>(<span>$key</span>, 16, 16<span>)); </span><span>//</span><span> 密匙c用于变化生成的密文 </span> <span>$keyc</span> = <span>$ckey_length</span> ? (<span>$operation</span> == 'DECODE' ? <span>substr</span>(<span>$string</span>, 0, <span>$ckey_length</span>): <span>substr</span>(<span>md5</span>(<span>microtime</span>()), -<span>$ckey_length</span>)) : ''<span>; </span><span>//</span><span> 参与运算的密匙 </span> <span>$cryptkey</span> = <span>$keya</span>.<span>md5</span>(<span>$keya</span>.<span>$keyc</span><span>); </span><span>$key_length</span> = <span>strlen</span>(<span>$cryptkey</span><span>); </span><span>//</span><span> 明文,前10位用来保存时间戳,解密时验证数据有效性,10到26位用来保存$keyb(密匙b), //解密时会通过这个密匙验证数据完整性 // 如果是解码的话,会从第$ckey_length位开始,因为密文前$ckey_length位保存 动态密匙,以保证解密正确 </span> <span>$string</span> = <span>$operation</span> == 'DECODE' ? <span>base64_decode</span>(<span>substr</span>(<span>$string</span>, <span>$ckey_length</span>)) : <span>sprintf</span>('%010d', <span>$expiry</span> ? <span>$expiry</span> + <span>time</span>() : 0).<span>substr</span>(<span>md5</span>(<span>$string</span>.<span>$keyb</span>), 0, 16).<span>$string</span><span>; </span><span>$string_length</span> = <span>strlen</span>(<span>$string</span><span>); </span><span>$result</span> = ''<span>; </span><span>$box</span> = <span>range</span>(0, 255<span>); </span><span>$rndkey</span> = <span>array</span><span>(); </span><span>//</span><span> 产生密匙簿 </span> <span>for</span>(<span>$i</span> = 0; <span>$i</span> <= 255; <span>$i</span>++<span>) { </span><span>$rndkey</span>[<span>$i</span>] = <span>ord</span>(<span>$cryptkey</span>[<span>$i</span> % <span>$key_length</span><span>]); } </span><span>//</span><span> 用固定的算法,打乱密匙簿,增加随机性,好像很复杂,实际上对并不会增加密文的强度 </span> <span>for</span>(<span>$j</span> = <span>$i</span> = 0; <span>$i</span> < 256; <span>$i</span>++<span>) { </span><span>$j</span> = (<span>$j</span> + <span>$box</span>[<span>$i</span>] + <span>$rndkey</span>[<span>$i</span>]) % 256<span>; </span><span>$tmp</span> = <span>$box</span>[<span>$i</span><span>]; </span><span>$box</span>[<span>$i</span>] = <span>$box</span>[<span>$j</span><span>]; </span><span>$box</span>[<span>$j</span>] = <span>$tmp</span><span>; } </span><span>//</span><span> 核心加解密部分 </span> <span>for</span>(<span>$a</span> = <span>$j</span> = <span>$i</span> = 0; <span>$i</span> < <span>$string_length</span>; <span>$i</span>++<span>) { </span><span>$a</span> = (<span>$a</span> + 1) % 256<span>; </span><span>$j</span> = (<span>$j</span> + <span>$box</span>[<span>$a</span>]) % 256<span>; </span><span>$tmp</span> = <span>$box</span>[<span>$a</span><span>]; </span><span>$box</span>[<span>$a</span>] = <span>$box</span>[<span>$j</span><span>]; </span><span>$box</span>[<span>$j</span>] = <span>$tmp</span><span>; </span><span>//</span><span> 从密匙簿得出密匙进行异或,再转成字符 </span> <span>$result</span> .= <span>chr</span>(<span>ord</span>(<span>$string</span>[<span>$i</span>]) ^ (<span>$box</span>[(<span>$box</span>[<span>$a</span>] + <span>$box</span>[<span>$j</span>]) % 256<span>])); } </span><span>if</span>(<span>$operation</span> == 'DECODE'<span>) { </span><span>//</span><span> 验证数据有效性,请看未加密明文的格式 </span> <span>if</span>((<span>substr</span>(<span>$result</span>, 0, 10) == 0 || <span>substr</span>(<span>$result</span>, 0, 10) - <span>time</span>() --> 0) && <span>substr</span>(<span>$result</span>, 10, 16) == <span>substr</span>(<span>md5</span>(<span>substr</span>(<span>$result</span>, 26).<span>$keyb</span>), 0, 16<span>)) { </span><span>return</span> <span>substr</span>(<span>$result</span>, 26<span>); } </span><span>else</span><span> { </span><span>return</span> ''<span>; } } </span><span>else</span><span> { </span><span>//</span><span> 把动态密匙保存在密文里,这也是为什么同样的明文,生产不同密文后能解密的原因 // 因为加密后的密文可能是一些特殊字符,复制过程可能会丢失,所以用base64编码 </span> <span>return</span> <span>$keyc</span>.<span>str_replace</span>('=', '', <span>base64_encode</span>(<span>$result</span><span>)); } } </span><span>$str</span> = 'abcdef'<span>; </span><span>$key</span> = 'www.phpskill.com'<span>; </span><span>echo</span> <span>$jm</span> = authcode(<span>$str</span>,'ENCODE',<span>$key</span>,0); <span>//</span><span>加密 </span> <span>echo</span> " "<span>; </span><span>echo</span> authcode(<span>$jm</span> ,'DECODE',<span>$key</span>,0); <span>//</span><span>解密</span> ?>
这样当设置用户信息的cookie时,就无法对其进行伪造:
<!--?<span>php </span><span>$user</span> = <span>array</span>("uid"=--><span>$uid</span>,"username"=><span>$username</span><span>); </span><span>$user</span> = <span>base64_encode</span>(<span>serialize</span>(<span>$user</span><span>)); </span><span>$user</span> = authcode(<span>$user</span>,'ENCODE','www.phpskill.com',0); <span>//</span><span>加密 </span> <span>setcookie</span>("user",<span>$user</span>,<span>time</span>()+3600*24<span>); </span>?>
二、用加密令牌对cookie进行保护
<span>$hash</span> = <span>md5</span>(<span>$uid</span>.<span>time</span>());<span>//</span><span>加密令牌值</span> <span>$hash_expire</span> =<span>time</span>()+3600*24;<span>//</span><span>加密令牌值为一天有效期</span> <span>$user</span> = <span>array</span>("uid"=><span>$uid</span>,"username"=><span>$username</span>,"hash"=><span>$hash</span><span>); </span><span>$user</span> = <span>base64_encode</span>(<span>serialize</span>(<span>$user</span><span>)); </span><span>setcookie</span>("user",<span>$user</span>,<span>$hash_expr</span><span>); 然后把</span><span>$hash和$hash_expire</span> 存入member表中hash和hash_expire对应字段中,<span>也可以存入nosql,session 用户伪造cookie时,hash无法伪造</span>,<span>伪造的hash和数据库中的不一致 用户每次登陆,这个hash_expire有效期内不更新hash值,过期则更新</span>
php纯技术交流群: 323899029
原文转载于:http://www.phpskill.com/html/show-1-4424-1.html

在PHP中,可以使用session_status()或session_id()來檢查會話是否已啟動。 1)使用session_status()函數,如果返回PHP_SESSION_ACTIVE,則會話已啟動。 2)使用session_id()函數,如果返回非空字符串,則會話已啟動。這兩種方法都能有效地檢查會話狀態,選擇使用哪種方法取決於PHP版本和個人偏好。

sessionsarevitalinwebapplications,尤其是在commercePlatform之前。

在PHP中管理並發會話訪問可以通過以下方法:1.使用數據庫存儲會話數據,2.採用Redis或Memcached,3.實施會話鎖定策略。這些方法有助於確保數據一致性和提高並發性能。

PHPsessionshaveseverallimitations:1)Storageconstraintscanleadtoperformanceissues;2)Securityvulnerabilitieslikesessionfixationattacksexist;3)Scalabilityischallengingduetoserver-specificstorage;4)Sessionexpirationmanagementcanbeproblematic;5)Datapersis

負載均衡會影響會話管理,但可以通過會話複製、會話粘性和集中式會話存儲解決。 1.會話複製在服務器間複製會話數據。 2.會話粘性將用戶請求定向到同一服務器。 3.集中式會話存儲使用獨立服務器如Redis存儲會話數據,確保數據共享。

Sessionlockingisatechniqueusedtoensureauser'ssessionremainsexclusivetooneuseratatime.Itiscrucialforpreventingdatacorruptionandsecuritybreachesinmulti-userapplications.Sessionlockingisimplementedusingserver-sidelockingmechanisms,suchasReentrantLockinJ

PHP會話的替代方案包括Cookies、Token-basedAuthentication、Database-basedSessions和Redis/Memcached。 1.Cookies通過在客戶端存儲數據來管理會話,簡單但安全性低。 2.Token-basedAuthentication使用令牌驗證用戶,安全性高但需額外邏輯。 3.Database-basedSessions將數據存儲在數據庫中,擴展性好但可能影響性能。 4.Redis/Memcached使用分佈式緩存提高性能和擴展性,但需額外配

Sessionhijacking是指攻擊者通過獲取用戶的sessionID來冒充用戶。防範方法包括:1)使用HTTPS加密通信;2)驗證sessionID的來源;3)使用安全的sessionID生成算法;4)定期更新sessionID。


熱AI工具

Undresser.AI Undress
人工智慧驅動的應用程序,用於創建逼真的裸體照片

AI Clothes Remover
用於從照片中去除衣服的線上人工智慧工具。

Undress AI Tool
免費脫衣圖片

Clothoff.io
AI脫衣器

Video Face Swap
使用我們完全免費的人工智慧換臉工具,輕鬆在任何影片中換臉!

熱門文章

熱工具

Atom編輯器mac版下載
最受歡迎的的開源編輯器

EditPlus 中文破解版
體積小,語法高亮,不支援程式碼提示功能

SublimeText3 Mac版
神級程式碼編輯軟體(SublimeText3)

Safe Exam Browser
Safe Exam Browser是一個安全的瀏覽器環境,安全地進行線上考試。該軟體將任何電腦變成一個安全的工作站。它控制對任何實用工具的訪問,並防止學生使用未經授權的資源。

SAP NetWeaver Server Adapter for Eclipse
將Eclipse與SAP NetWeaver應用伺服器整合。