dt2002 2010-01-28 07:02
浏览 33
已采纳

安全令牌流程

I am currently in the mist of developing a website using PHP and MYSQL. It is a private website therefore registrations must be allowed using emails. In simple terms if a new user has to be registered, the administrator has to go into the system and add an email address to be registered.

What I want to do is to create a token or a pass value when this does happen.

Here are the steps:

  1. Administrator adds an email to the system
  2. A unique token value is created (e.g. 1234567890)
  3. The token value is then sent to the users email
  4. the user goes on the link provided and enters his email and the token value
  5. If Success - User is allowed to register
  6. If Fail! - Token is regenerated and send again to that email address

What I really want to know is what would be the best practice to create a token and how can we ensure to create a unique token every time an email is registered.

For further security can I ensure that each token only live for a couple of hours. But would this prevent unauthorized access into the system, or this is a bad idea for securing my website?

My thoughts of creating a unique token: Use hashing algorithms that use SALT so the results cannot be predicted or decrypted (Problems with MD5)

Any help or a lead towards the right direction would be greatfull.

  • 写回答

1条回答 默认 最新

  • duan19913 2010-01-28 15:18
    关注

    I like this method of generating a cryptographically secure pseudo-random number generator or (CSPRNG) for PHP. It was written by Scott:

    <?php
   function crypto_rand_secure($min, $max) {
        $range = $max - $min;
        if ($range < 0) return $min; // not so random...
        $log = log($range, 2);
        $bytes = (int) ($log / 8) + 1; // length in bytes
        $bits = (int) $log + 1; // length in bits
        $filter = (int) (1 << $bits) - 1; // set all lower bits to 1
        do {
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
            $rnd = $rnd & $filter; // discard irrelevant bits
        } while ($rnd >= $range);
        return $min + $rnd;
}

function getToken($length=32){
    $token = "";
    $codeAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $codeAlphabet.= "abcdefghijklmnopqrstuvwxyz";
    $codeAlphabet.= "0123456789";
    for($i=0;$i<$length;$i++){
        $token .= $codeAlphabet[crypto_rand_secure(0,strlen($codeAlphabet))];
    }
    return $token;
}
?>

    In terms of adding a timeout, I recommend taking care of this in the database. Add a column that is called like registration_timeout and then use mysql's addtime() function to set this colmn to the current time stamp + however long you want the timeout to be.

    Also keep in mind that temporary email accounts are trivial to use (http://www.mailinator.com , http://www.guerrillamail.com, ect...), so asking for someone to register an email account doesn't mean anything. Further more a user account could end up on http://www.bugmenot.com .

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

  • 安全令牌流程 php
    2010-01-28 07:02
    回答 1 已采纳 I like this method of generating a cryptographically secure pseudo-random number generator or (CSP
  • PHP会话令牌用于表单安全 php
    2016-02-13 00:02
    回答 2 已采纳 The functionality of my code seemed fine in Safari, but other browsers mismatched the token. The
  • AngularJS安全令牌与会话 javascript php
    2015-07-09 20:55
    回答 1 已采纳 The idea of using tokens is to allow for a server to be completely stateless. The server just prov
  • php令牌桶,令牌桶限频(TokenBucket)
    2021-04-30 11:25
    weixin_39820226的博客 } } 总结 令牌桶频率限制是API接口设计中重要的安全策略之一,但是对于不同的业务和场景都应该使用最适合的方法(如登录密码错误,一天只能尝试五次,这种情况计数器限频就是更好的选择了),万事并无绝对。...
  • PHP:使用Post方法生成令牌 php
    2017-03-16 17:37
    回答 1 已采纳 Thanks all a lot for your hints, here is a script that is working : I hope that this script (and
  • php中的Firebase令牌验证 php
    2017-02-07 07:43
    回答 1 已采纳 How can i know wich public key should i use if the kid is encoded and for decode it i need that
  • PHP中加密的令牌 php
    2014-10-18 14:40
    回答 1 已采纳 as well as implement in other languages using the same technique i doubt that ,) Not an easy
  • PHP代码安全检测
    2017-09-05 11:26
    tammy1151的博客 代码审核不是简单的检查代码,审核代码的原因是确保代码能安全的做到对信息和资源进行足够的保护,所以熟悉整个应用程序的业务流程对于控制潜在的风险是非常重要的。审核人员可以使用类似下面的问题对开发者进行访谈...
  • 实现PHP会话令牌时出现问题 html php
    2018-08-29 15:41
    回答 1 已采纳 There's a few problems with your code: token.php needs to output the token. Which is as simple as
  • php使用令牌内部形式为什么令牌很重要 php
    2016-11-19 10:24
    回答 1 已采纳 Access token is one of protection patterns against CSRF attack. CSRF stands for Cross-site Request
  • PHP APNS一个令牌失败 ios php
    2013-06-11 13:17
    回答 1 已采纳 That's the way Apple implemented their push notifications (very annoying). If you send an invalid
  • PHP面试的流程及面试题
    2019-03-18 15:57
    Super乐的博客 答:我叫xxx,来自北京,20xx年毕业于xx大学计算机xx系,毕业后在xx从事了x年的php开发工作,公司是一个外包公司,主要做微信开发,公众号推广,商城,论坛的开发 你在公司负责那些项目? 答:由于我们公司是一个外包公司,...
  • CSRF令牌保护意义何在? csrf php
    2019-01-14 16:19
    回答 2 已采纳 The CSRF token is random and unique per session. Hence, an attacker can get the value of this toke
  • 管理API访问令牌的最佳安全实践
    2019-05-14 11:19
    花元的博客 本文将向API提供者和应用程序开发人员重点介绍,我们在管理访问令牌中的各种最佳安全实践。 管理API访问令牌 一、安全的第一原则 在我们处置安全性时,首先要考虑的一条原则是:不可相信任何人。如果您是一名API提.....
  • php 登录安全认证,介绍几种常用的web安全认证方式
    2021-04-26 12:57
    weixin_39531594的博客 本文为大家介绍了五种常用的web安全认证方式,具有一定的参考价值,希望能对大家有所帮助。1、Http Basic Auth这是一种最古老的安全认证方式,这种方式就是简单的访问API的时候,带上访问的username和password,由于...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 一直显示正在等待HID—ISP