问题描述
我是一名在PHP中使用登录脚本的初学者。这是我迄今为止的表单标记语句:
$ _ SESSION [form_token] = md5(rand(time( ),true));
该声明是在用户指出他/她想要登录后发出的。
我的有限理解是令牌的目的是在独特的时间点识别唯一的用户并掩饰表单令牌信息。
然后一切都变得模糊。以下是我的3个问题:
-
出于安全目的,什么时候最好检查表单标记?
-
我如何检查它?
- (IOW,表单令牌在用户注销之前是否保持活动状态?
您负责认证用户并在SESSION中存储它们的身份验证(例如$ _SESSION ['user_id'] = $ userId)。如果用户注销,则会使用session_destroy销毁它们的会话。
确保session_start()是您网站中所有页面的第一个事物之一。
以下是一个基本示例:
<?php
session_start(); //开始新的或恢复现有会话
session_regenerate_id(true); //再生S ESSIONID以防止劫持
函数登录($ username,$ password)
{
$ user = new User();
if($ user-> login($ username,$ password)){
$ _SESSION ['user_id'] = $ user-> getId();
返回true;
}
返回false;
函数注销()
{
session_destroy();
函数isLoggedIn()
{
return isset($ _ SESSION ['user_id']);
函数generateFormHash($ salt)
{
$ hash = md5(mt_rand(1,1000000)。$ salt);
$ _SESSION ['csrf_hash'] = $ hash
return $ hash;
}
函数isValidFormHash($ hash)
{
return $ _SESSION ['csrf_hash'] === $ hash;
}
编辑:我误解了原来的问题。我添加了上面的相关方法来生成和验证表单散列;
请参阅以下资源:
I'm a beginner working on a login script in PHP. This is the form token statement that I have so far:
$_SESSION["form_token"] = md5(rand(time (), true)) ;
The statement is issued just after the user indicates that he/she wants to login.
My limited understanding is that the tokens purpose is to identify a unique user at a unique point in time and to disguise the form token information.
Then everything becomes fuzzy. Here are my 3 open questions:
When is the best time to "check" the form token for security purposes?
How do I check it?
When, if ever, do I "destroy" the form token? (IOW, would the form token stay "active" until the user logs out?
There is no need to do what you are attempting. When you start a session in PHP with session_start() a unique SESSIONID is already generated for you. You should not be putting this on the form. It is handled via cookies by default. There is also no need to check the SESSIONID either, that again is handled for you.
You are responsible for authenticating the user and storing their authenticated identity (e.g. $_SESSION['user_id'] = $userId in the SESSION. If a user logs out you destroy their session with session_destroy.
You should ensure session_start() is one of the first things for all pages in your site.
Here is a basic example:
<?php
session_start(); // starts new or resumes existing session
session_regenerate_id(true); // regenerates SESSIONID to prevent hijacking
function login($username, $password)
{
$user = new User();
if ($user->login($username, $password)) {
$_SESSION['user_id'] = $user->getId();
return true;
}
return false;
}
function logout()
{
session_destroy();
}
function isLoggedIn()
{
return isset($_SESSION['user_id']);
}
function generateFormHash($salt)
{
$hash = md5(mt_rand(1,1000000) . $salt);
$_SESSION['csrf_hash'] = $hash
return $hash;
}
function isValidFormHash($hash)
{
return $_SESSION['csrf_hash'] === $hash;
}
Edit: I misunderstood the original question. I added the relevant methods above for generating and validating form hashes;
Please see the following resources:
这篇关于PHP表单令牌的使用和处理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!