A few things about cookie information security for user login, cookie information security

Table of Contents

One or two things about cookie information security when users log in, cookie information security

Home

Backend Development

PHP Tutorial

A few things about cookie information security for user login, cookie information security_PHP tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 13, 2016 am 10:08 AM

Everyone knows that after a user logs in, the user information will generally be saved in cookies, because cookies are used to save customers End,
Moreover, cookies can be freely changed on the client side using the browser. This will cause the risk of forgery of user cookies, which may allow forgers to log in to any user's account.

Here are some common methods to prevent users from logging in cookie information:

1. Cookie information encryption method
The cookie information encryption method uses an encryption method to encrypt user information and then stores the cookie. In this way, even if the forger obtains the cookie, it can only use the cookie within the validity period of the cookie and cannot forge additional cookie information.

Here is an encryption function:

<!--?<span>php

</span><span>function</span> authcode(<span>$string</span>, <span>$operation</span> = 'DECODE', <span>$key</span> = '', <span>$expiry</span> = 0<span>) {   

    </span><span>//</span><span> 动态密匙长度，相同的明文会生成不同密文就是依靠动态密匙   </span>

    <span>$ckey_length</span> = 4<span>;   

       

    </span><span>//</span><span> 密匙   </span>

    <span>$key</span> = <span>md5</span>(<span>$key</span> ? <span>$key</span> : <span>$GLOBALS</span>['discuz_auth_key'<span>]);   

       

    </span><span>//</span><span> 密匙a会参与加解密   </span>

    <span>$keya</span> = <span>md5</span>(<span>substr</span>(<span>$key</span>, 0, 16<span>));   

    </span><span>//</span><span> 密匙b会用来做数据完整性验证   </span>

    <span>$keyb</span> = <span>md5</span>(<span>substr</span>(<span>$key</span>, 16, 16<span>));   

    </span><span>//</span><span> 密匙c用于变化生成的密文   </span>

    <span>$keyc</span> = <span>$ckey_length</span> ? (<span>$operation</span> == 'DECODE' ? <span>substr</span>(<span>$string</span>, 0, <span>$ckey_length</span>): 

<span>substr</span>(<span>md5</span>(<span>microtime</span>()), -<span>$ckey_length</span>)) : ''<span>;   

    </span><span>//</span><span> 参与运算的密匙   </span>

    <span>$cryptkey</span> = <span>$keya</span>.<span>md5</span>(<span>$keya</span>.<span>$keyc</span><span>);   

    </span><span>$key_length</span> = <span>strlen</span>(<span>$cryptkey</span><span>);   

    </span><span>//</span><span> 明文，前10位用来保存时间戳，解密时验证数据有效性，10到26位用来保存$keyb(密匙b)， 

//解密时会通过这个密匙验证数据完整性   

    // 如果是解码的话，会从第$ckey_length位开始，因为密文前$ckey_length位保存 动态密匙，以保证解密正确   </span>

    <span>$string</span> = <span>$operation</span> == 'DECODE' ? <span>base64_decode</span>(<span>substr</span>(<span>$string</span>, <span>$ckey_length</span>)) :  

<span>sprintf</span>('%010d', <span>$expiry</span> ? <span>$expiry</span> + <span>time</span>() : 0).<span>substr</span>(<span>md5</span>(<span>$string</span>.<span>$keyb</span>), 0, 16).<span>$string</span><span>;   

    </span><span>$string_length</span> = <span>strlen</span>(<span>$string</span><span>);   

    </span><span>$result</span> = ''<span>;   

    </span><span>$box</span> = <span>range</span>(0, 255<span>);   

    </span><span>$rndkey</span> = <span>array</span><span>();   

    </span><span>//</span><span> 产生密匙簿   </span>

    <span>for</span>(<span>$i</span> = 0; <span>$i</span> <= 255; <span>$i</span>++<span>) {   

        </span><span>$rndkey</span>[<span>$i</span>] = <span>ord</span>(<span>$cryptkey</span>[<span>$i</span> % <span>$key_length</span><span>]);   

    }   

    </span><span>//</span><span> 用固定的算法，打乱密匙簿，增加随机性，好像很复杂，实际上对并不会增加密文的强度   </span>

    <span>for</span>(<span>$j</span> = <span>$i</span> = 0; <span>$i</span> < 256; <span>$i</span>++<span>) {   

        </span><span>$j</span> = (<span>$j</span> + <span>$box</span>[<span>$i</span>] + <span>$rndkey</span>[<span>$i</span>]) % 256<span>;   

        </span><span>$tmp</span> = <span>$box</span>[<span>$i</span><span>];   

        </span><span>$box</span>[<span>$i</span>] = <span>$box</span>[<span>$j</span><span>];   

        </span><span>$box</span>[<span>$j</span>] = <span>$tmp</span><span>;   

    }   

    </span><span>//</span><span> 核心加解密部分   </span>

    <span>for</span>(<span>$a</span> = <span>$j</span> = <span>$i</span> = 0; <span>$i</span> < <span>$string_length</span>; <span>$i</span>++<span>) {   

        </span><span>$a</span> = (<span>$a</span> + 1) % 256<span>;   

        </span><span>$j</span> = (<span>$j</span> + <span>$box</span>[<span>$a</span>]) % 256<span>;   

        </span><span>$tmp</span> = <span>$box</span>[<span>$a</span><span>];   

        </span><span>$box</span>[<span>$a</span>] = <span>$box</span>[<span>$j</span><span>];   

        </span><span>$box</span>[<span>$j</span>] = <span>$tmp</span><span>;   

        </span><span>//</span><span> 从密匙簿得出密匙进行异或，再转成字符   </span>

        <span>$result</span> .= <span>chr</span>(<span>ord</span>(<span>$string</span>[<span>$i</span>]) ^ (<span>$box</span>[(<span>$box</span>[<span>$a</span>] + <span>$box</span>[<span>$j</span>]) % 256<span>]));   

    }   

    </span><span>if</span>(<span>$operation</span> == 'DECODE'<span>) {  

        </span><span>//</span><span> 验证数据有效性，请看未加密明文的格式   </span>

        <span>if</span>((<span>substr</span>(<span>$result</span>, 0, 10) == 0 || <span>substr</span>(<span>$result</span>, 0, 10) - <span>time</span>() --> 0) &&  

<span>substr</span>(<span>$result</span>, 10, 16) == <span>substr</span>(<span>md5</span>(<span>substr</span>(<span>$result</span>, 26).<span>$keyb</span>), 0, 16<span>)) {   

            </span><span>return</span> <span>substr</span>(<span>$result</span>, 26<span>);   

        } </span><span>else</span><span> {   

            </span><span>return</span> ''<span>;   

        }   

    } </span><span>else</span><span> {   

        </span><span>//</span><span> 把动态密匙保存在密文里，这也是为什么同样的明文，生产不同密文后能解密的原因   

        // 因为加密后的密文可能是一些特殊字符，复制过程可能会丢失，所以用base64编码   </span>

        <span>return</span> <span>$keyc</span>.<span>str_replace</span>('=', '', <span>base64_encode</span>(<span>$result</span><span>));   

    }   

} 


 

</span><span>$str</span> = 'abcdef'<span>; 

</span><span>$key</span> = 'www.phpskill.com'<span>; 

</span><span>echo</span> <span>$jm</span> = authcode(<span>$str</span>,'ENCODE',<span>$key</span>,0); <span>//</span><span>加密 </span>
<span>echo</span> "
"<span>;

</span><span>echo</span> authcode(<span>$jm</span> ,'DECODE',<span>$key</span>,0); <span>//</span><span>解密</span>

?>

Copy after login

This way when the cookie for user information is set, it cannot be forged:

<!--?<span>php

</span><span>$user</span> = <span>array</span>("uid"=--><span>$uid</span>,"username"=><span>$username</span><span>);

</span><span>$user</span> = <span>base64_encode</span>(<span>serialize</span>(<span>$user</span><span>));
</span><span>$user</span> =  authcode(<span>$user</span>,'ENCODE','www.phpskill.com',0); <span>//</span><span>加密 </span>
<span>setcookie</span>("user",<span>$user</span>,<span>time</span>()+3600*24<span>);

</span>?>

Copy after login

2. Protect cookies with encryption tokens

<span>$hash</span> = <span>md5</span>(<span>$uid</span>.<span>time</span>());<span>//</span><span>加密令牌值</span>
<span>$hash_expire</span> =<span>time</span>()+3600*24;<span>//</span><span>加密令牌值为一天有效期</span>
<span>$user</span> = <span>array</span>("uid"=><span>$uid</span>,"username"=><span>$username</span>,"hash"=><span>$hash</span><span>);

</span><span>$user</span> = <span>base64_encode</span>(<span>serialize</span>(<span>$user</span><span>));

</span><span>setcookie</span>("user",<span>$user</span>,<span>$hash_expr</span><span>);

然后把</span><span>$hash和$hash_expire</span> 存入member表中hash和hash_expire对应字段中,<span>也可以存入nosql，session

用户伪造cookie时，hash无法伪造</span>,<span>伪造的hash和数据库中的不一致

用户每次登陆，这个hash_expire有效期内不更新hash值，过期则更新</span>

Copy after login

php pure technical exchange group: 323899029

Original text reprinted at: http://www.phpskill.com/html/show-1-4424-1.html

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks ago By DDD

How to fix KB5055523 fails to install in Windows 11?

2 weeks ago By DDD

InZoi: How To Apply To School And University

3 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

2 weeks ago By DDD

Roblox: Dead Rails – How To Summon And Defeat Nikola Tesla

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7826

Java Tutorial

1648

CakePHP Tutorial

1402

Laravel Tutorial

1300

PHP Tutorial

1239

Related knowledge

How to Fix Roblox 403 Forbidden Error on Google Chrome May 19, 2023 pm 01:49 PM

Many Windows users have recently encountered an unusual error called Roblox403 Forbidden Error while trying to access website URLs in Google Chrome browser. Even after restarting the Chrome app multiple times, they were unable to do anything. There could be several potential causes for this error, some of which we've outlined and listed below. Browsing history and other cache of Chrome and corrupted data Unstable internet connection Incorrect website URLs Extensions installed from third-party sources After considering all the above aspects, we have come up with some fixes that can help users resolve this issue. If you encounter the same problem, check out the solutions in this article. Fix 1

Where are cookies stored? Dec 20, 2023 pm 03:07 PM

Cookies are usually stored in the cookie folder of the browser. Cookie files in the browser are usually stored in binary or SQLite format. If you open the cookie file directly, you may see some garbled or unreadable content, so it is best to use Use the cookie management interface provided by your browser to view and manage cookies.

Where are the cookies on your computer? Dec 22, 2023 pm 03:46 PM

Cookies on your computer are stored in specific locations on your browser, depending on the browser and operating system used: 1. Google Chrome, stored in C:\Users\YourUsername\AppData\Local\Google\Chrome\User Data\Default \Cookies etc.

Where are the mobile cookies? Dec 22, 2023 pm 03:40 PM

Cookies on the mobile phone are stored in the browser application of the mobile device: 1. On iOS devices, Cookies are stored in Settings -> Safari -> Advanced -> Website Data of the Safari browser; 2. On Android devices, Cookies Stored in Settings -> Site settings -> Cookies of Chrome browser, etc.

How cookies work Sep 20, 2023 pm 05:57 PM

The working principle of cookies involves the server sending cookies, the browser storing cookies, and the browser processing and storing cookies. Detailed introduction: 1. The server sends a cookie, and the server sends an HTTP response header containing the cookie to the browser. This cookie contains some information, such as the user's identity authentication, preferences, or shopping cart contents. After the browser receives this cookie, it will be stored on the user's computer; 2. The browser stores cookies, etc.

Does clearing cookies have any impact? Sep 20, 2023 pm 06:01 PM

The effects of clearing cookies include resetting personalization settings and preferences, affecting ad experience, and destroying login status and password remembering functions. Detailed introduction: 1. Reset personalized settings and preferences. If cookies are cleared, the shopping cart will be reset to empty and products need to be re-added. Clearing cookies will also cause the login status on social media platforms to be lost, requiring re-adding. Enter your username and password; 2. It affects the advertising experience. If cookies are cleared, the website will not be able to understand our interests and preferences, and will display irrelevant ads, etc.

Detailed explanation of where browser cookies are stored Jan 19, 2024 am 09:15 AM

With the popularity of the Internet, we use browsers to surf the Internet have become a way of life. In the daily use of browsers, we often encounter situations where we need to enter account passwords, such as online shopping, social networking, emails, etc. This information needs to be recorded by the browser so that it does not need to be entered again the next time you visit. This is when cookies come in handy. What are cookies? Cookie refers to a small data file sent by the server to the user's browser and stored locally. It contains user behavior of some websites.

What are the dangers of cookie leakage? Sep 20, 2023 pm 05:53 PM

The dangers of cookie leakage include theft of personal identity information, tracking of personal online behavior, and account theft. Detailed introduction: 1. Personal identity information is stolen, such as name, email address, phone number, etc. This information may be used by criminals to carry out identity theft, fraud and other illegal activities; 2. Personal online behavior is tracked and analyzed through cookies With the data in the account, criminals can learn about the user's browsing history, shopping preferences, hobbies, etc.; 3. The account is stolen, bypassing login verification, directly accessing the user's account, etc.

See all articles