We want to implement sign in seal to reduce risk of phishing attacks on client. We want client to know that he is on our site rather than some replica of our site. Some web search got us example of Yahoo Sign-in-seal feature. Can you guys guide me on implementing such a system?
Details I would like to have suggestions on are specifically database design and whether mechanism will work with cookies or something else, and are there beter solutions for our requirement than Yahoo sign-in seal.
分享 Have an area of the site where the user can enter some text or select an image. Store this result in your database against the users ID.
Once this is done, encrypt this value and set it in a cookie.
// Set a secret key
define('SECRET_KEY', 'HNBG:^yhCY*1omNhRg&');
// Sign in text - get this from the users row in the database
$signinSeal = 'Hello, User!';
// Encrypt value
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($ivSize, MCRYPT_RAND);
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SECRET_KEY, $signinSeal, MCRYPT_MODE_ECB, $iv);
// Concat with IV - base64 so it can be safely sent
$encrypted = base64_encode($iv) . '|' . base64_encode($encrypted);
// Set in a cookie - mark as HTTP only to prevent it being stolen in an XSS attack
setcookie('signinSeal', $encrypted, time() + (60 * 60 * 24 * 30), '/', 'example.com', false, true);
Now when a user visits your login page, check for the presence of 'signinSeal' cookie, base64 decode it, decrypt and display
if (array_key_exists('signinSeal', $_COOKIE) && !empty($_COOKIE['signinSeal'])) {
// Split IV and encrypted string
$fields = explode('|', $_COOKIE['signinSeal']);
$iv = base64_decode($fields[0]);
$encrypted = base64_decode($fields[1]);
// Decrypt value
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, SECRET_KEY, $encrypted, MCRYPT_MODE_ECB, $iv);
// And display to the user
echo htmlspecialchars($decrypted);
}
Once they've logged in - I would set the cookie again, to make sure it doesn't expire
分享
