发表新帖
发表新帖

PHP form token usage and handling

前端 未结
关注
3 2074
日久生厌
日久生厌 2020-11-30 22:55

I\'m a beginner working on a login script in PHP. This is the form token statement that I have so far:

$_SESSION[\"form_token\"] = md5(rand(time (), true)) ;
3条回答
  • 情话喂你
    情话喂你 (楼主)
    2020-11-30 23:49

    this is to prevent CSRF attacks

    http://en.wikipedia.org/wiki/Cross-site_request_forgery

    a malicious site could theoretically display a form that posts to your application. the form might contain instructions that cause a data breach or some unwanted action. the user might be deceived into submitting the form which the app would accept because the user is already logged in. a form token ensures the form was created by your site and not some other site.

    checking the HTTP_REFERER is often good enough, but not as complete a solution (https for instance won't send the referrer string).

    if you really want to secure all forms with a token, you can create some convenience functions like emitToken() and checkToken() that will make it work site-wide.

    some examples:

    http://phpsec.org/projects/guide/2.html

    http://www.rodsdot.com/php/CSRF_Form_Protection.php

    0 讨论(0)
 看不清?
提交回复
热议问题