php cookie防篡改

I use this code on my website:

<?php
$pass = "61e7680d2ac47e5b9e3c82118fae6e3cfcddff285ac75bb82872bb01f24ac657";
function valCookie(){
    if (isset($_COOKIE['session'])){
        $cookie = json_decode(hex2bin($_COOKIE['session']), true);
        global $pass;
        $hash = hash('sha256', $_SERVER['REMOTE_ADDR'] . $cookie['uid'] . 
        $cookie['expiry'] . $pass);
        $uid = $cookie['uid'];
        if ((hash_unique($hash, $cookie['hash'])) && ($cookie['expiry'] > time())){
            return $uid; //return user id.
            }
        }
    }
function hashCookie($uid, $expiry){
    global $pass;
    $cookie['uid'] = $uid;
    $cookie['expiry'] = $expiry;
    $cookie['hash'] = hash('sha256', $_SERVER['REMOTE_ADDR'] . $cookie['uid'] . 
    $cookie['expiry'] . $pass);
    $hexCookie = bin2hex(json_encode($cookie));
    setcookie("session", $hexCookie, $expiry);
    if(strlen($uid)){
        return true;
        }
    }
?>

Is it safe to use this to tamper-proof my cookies? I include the time in the hashing to expire the cookie. is this a secure way of doing it?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douyue8364 2018-10-04 05:43
关注
It's generally a bad idea to roll your own crypto.

Is it safe to use this to tamper-proof my cookies? I include the time in the hashing to expire the cookie. is this a secure way of doing it?

No, you're using a SHA256 hash of values that can largely be provided by attackers instead of HMAC-SHA256. Without HMAC, SHA256 is vulnerable to length-extension attacks.

Instead, consider (in order of preference):

PASETO, which provides tamper-resistant tokens with a high security margin. The only downside is that they're not immune to replay attacks.

JWT, with HS256. The linked library will allow you to securely only ever allow HS256, thereby side-stepping 99.9% of JWT security fails.

Halite's Cookie class. Halite is a usability wrapper for libsodium, a modern cryptography library that now ships with PHP 7.2.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PHP读取cookie php
2022-07-17 17:45

回答 1 已采纳 username 改成zl
PHP迭代cookie数组 javascript jquery php
2019-06-20 10:32

回答 1 已采纳 The solution was much simpler than I actually thought... I did it with JQuery like this: .......
PHP无法读取javascript cookie javascript php
2015-07-28 09:21

回答 3 已采纳 <!DOCTYPE html> <html> <head> <title>example</title> <s
php cookie防伪造,Cookie 防伪造防修改
2021-04-22 09:28

Ruogo的博客主要防止非法用户修改cookie信息，以及cookie的超时时间传统cookie存储，Cookie(name, value)，value很容易就被篡改。防修改cookie存储，Cookie(name, value+“”+ signToken+“”+saveTime+“”+maxTime)signToken ...
Cookie在PHP过期之前被删除 php
2018-08-03 09:13

回答 1 已采纳 So, The problem was the connection to database, It was unsuccessful...
PHP拒绝接受cookie firefox html php
2016-06-24 13:47

回答 1 已采纳 Your script looks like that youre redirecting in a circle. Main.php-> main.php -> main.php a
PHP Cookie为1天 php
2015-07-16 09:47

回答 1 已采纳 setcookie("CookieName", $CookieValue, time()+86400); This will set a cookie for 24 hours. You ca
php cookie防伪造,Cookie防伪造防修改
2021-04-22 09:29

tommmaso的博客主要防止非法用户修改cookie信息，以及cookie的超时时间传统cookie存储，Cookie(name, value)，value很容易就被篡改。防修改cookie存储，Cookie(name, value+“”+signToken+“”+saveTime+“”+maxTime)signToken：...
浏览器窗口关闭PHP时销毁cookie php
2018-07-05 08:12

回答 3 已采纳 Ideally cookie created through SETCOOKIE function in PHP with its expire time 0, it will be delete
禁用cookie的php setcookie行为 php
2016-08-25 14:45

回答 3 已采纳 Cookies are sent via http header. Headers can ALWAYS be sent. Whether they're accepted/ignored is
用PHP读取Javascript cookie javascript php
2014-04-21 21:54

回答 2 已采纳 Ok I solved my issue apparently you can only read a cookie that was set on the same domain... #Duh
php cookie防伪造,技术分享：Cookie 防伪造防修改
2021-04-22 09:29

关灯拆电影的博客原标题：技术分享：Cookie 防伪造防修改主要防止非法用户修改cookie信息，以及cookie的超时时间传统cookie存储，Cookie(name, value)，value很容易就被篡改。防修改cookie存储，Cookie(name, value+“”+ sign...
无法检索php cookie值 php
2015-03-27 14:15

回答 3 已采纳 Finally I found the solution. The path parameter was missing in setcookie function. When I set th
php考试分数防止篡改,防篡改php文件校验程序
2021-04-21 08:26

机器人农场的博客 /*** 校验线上源文件是否和本地的一致* User: Administrator* Date: 2015/11/26* Time: 9:30*/include_once 'functions.php';class SrcVerifier{var $md5_files = array();var $total = 0;public function scan($dir...
【PHP基础-8】Cookie机制详解及Cookie身份认证应用案例
2022-04-06 11:03

像风一样9的博客目录1 Cookie 概述1.1 Cookie 机制1.2 什么是Cookie1.3 Cookie 认证机制1.4 Cookie 属性1.5 Cookie的安全性问题2 Cookie 应用2.1 Cookie 相关操作命令2.2 应用案例实验2.2.1 实验要求2.2.2 实验环境2.2.3 案例代码...
没有解决我的问题, 去提问

悬赏问题

¥20 有关区间dp的问题求解
¥15 多电路系统共用电源的串扰问题
¥15 slam rangenet++配置
¥15 有没有研究水声通信方面的帮我改俩matlab代码
¥15 对于相关问题的求解与代码
¥15 ubuntu子系统密码忘记
¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
¥15 保护模式-系统加载-段寄存器
¥15 电脑桌面设定一个区域禁止鼠标操作
¥15 求NPF226060磁芯的详细资料

php cookie防篡改

1条回答 默认 最新

悬赏问题

1条回答默认最新