How to add token authentication in PHP controller
$tokenName = C('TOKEN_NAME',null,'__hash__'); $tokenName = C('TOKEN_NAME',null,'__hash__'); $tokenType = C('TOKEN_TYPE',null,'md5'); if(! isset($_SESSION[$tokenName])) { $_SESSION[$tokenName] = array(); $tokenKey = md5($_SERVER['REQUEST_URI']); If (isset($_SESSION[$tokenName][$tokenKey])) {$_SESSION[$tokenName][$tokenKey]; }else{ $tokenValue = is_callable($tokenType) ? $tokenType(microtime(true)) : md5(microtime(true)); $_SESSION[$tokenName][$tokenKey] = $tokenValue; if(IS_AJAX && C('TOKEN_RESET',null,true)) header($tokenName.': '.$tokenKey.'_'.$tokenValue); } return array($tokenName,$tokenKey,$tokenValue); }Copy the code
PHP forms add token validation to prevent off-site submission/double submission/double click submission
<? php@session_start(); if($_POST) { if ($_POST['privatetoken'] == $_SESSION['token']) { unset($_SESSION['token']); Echo 'submit legally '; } else { echo 'novalite'; }}$token=md5(getrandcode()); $_SESSION['token'] = $token; Function getrandcode () {$STR = array (1,2,3,4,5,6,7,8,9, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h'); $res=''; for($i=0; $i<4; $i++) {$rand = mt_rand (1 dec); $res .=$str[$rand]; } return $res; }? > <! doctype html><html lang="en"><head> <meta charset="UTF-8"> <title>form</title></head><body><form action="form.php" method="post"> url:<input type="text" name="urlist" /> <input type="hidden" name="privatetoken" value="<? php echo $token; ? >" /> <br /> <input type="submit" value="tijiao" /></form></body></html>Copy the code
– Sessions will not be regenerated if the form is emulated
Token, or Token, is characterized by randomness and unpredictability. Ordinary hackers or software can’t guess.
So what does Token do? How does that work?
Tokens are generally used for two purposes — to prevent form duplication and to counter CSRF attacks (cross-site request forgery).
Both are implemented in principle through session tokens. When a client requests a page, the server generates a random number Token, places the Token in a session, and then sends the Token to the client (typically by constructing a hidden form). The next time the client submits a request, the Token is submitted to the server side along with the form.
Then, if it is applied to anti-CSRF attacks, the server verifies the Token value to check whether it is the same as the Token value in the session. If the Token value is the same, the request is valid and not forged.
However, if it is applied to “prevent form repeated submission”, the Token value in the previous session will be updated after the same authentication on the server side. If the user submits the form repeatedly, the second authentication judgment will fail, because the Token in the form submitted by the user has not changed, but the Token in the session on the server side has changed.
The session application above is relatively secure, but also called cumbersome. In the case of multiple pages and multiple requests, multiple tokens must be generated at the same time, which consumes more resources and reduces the execution efficiency. Therefore, a cookie can be used to store authentication information instead of session tokens. For example, in the case of “duplicate submission”, the submitted information is written to the cookie after the first submission, and the second submission fails because the cookie already has a record of submission.
However, cookie storage has an Achilles heel, if cookies are hijacked (XSS attacks make it easy to get user cookies), then gameover again. The hacker will implement the CSRF attack directly.
<? */session_start(); */session_start(); function set_token() { $_SESSION['token'] = md5(microtime(true)); }function valid_token() { $return = $_REQUEST['token'] === $_SESSION['token'] ? true : false; set_token(); return $return; }// If the token is empty, a tokenIf (! isset($_SESSION['token']) || $_SESSION['token']=='') { set_token(); }if(isset($_POST['test'])){ if(! valid_token()){ echo "token error"; $_POST['test']; $_POST['test']; }}? ><form method="post" action=""> <input type="hidden" name="token" value="<? php echo $_SESSION['token']? >"> <input type="text" name="test" value="Default"> <input type="submit" value=" submit" />Copy the code
The above is all the content of the article, thank you for reading, I hope to help you