doufei1852 2014-01-07 14:25
浏览 88
已采纳

PHP用户通过电子邮件验证

I'm working on a php/laravel-4 project, and we need to auto authenticate users coming from the links in the emails we send them, we need to have time limit for links so a link in email would not authenticate after the expire time is passed, I've come to this approach but I have some doubts about it's security:

first I make a md5 hash using user's email, timestamp and a secret key like this:

$timestamp = time();
$hash = md5($email . $timestamp . $secret_key);

then I can generate a url like this:

$url = "http://www.example.com/url?email={$email}&hash={$hash}&timestamp={$timestamp}

so then I can check the timestamp (for time validation) and regenerate the hash and authenticate the user with the provided email, do you think it has any security flaw? if yes please suggest me the secure method.

  • 写回答

4条回答 默认 最新

  • dsyk33753 2014-01-07 18:28
    关注

    I would not do that. What I would do:

    Create a table for your links:

    public function up()
{
    Schema::create('login', function($table) {
        $table->string('id')->primary();

        $table->string('user_id');

        $table->timestamps();
    });
}

    Every time you generate a link you add a line to this table:

    $user = User::find(1);

$login = Login::create(['id' => Login::generateID(), 'user_id' => $user->id]);

$url = "http://www.example.com/url?login_id={$login->id}"

    Then when your user click the link you can automatically log him in, also, immediatelly invalidate that link:

    $login = Login::findOrFail(Input::get('login_id'));

$user = User::find($login->user_id);

Auth::login($user);

$login->delete();

    And create an Artisan Command to periodiacally delete old records on that table:

    Login::where('created_at', '<=', Carbon\Carbon::now()->subDays(2))->delete();

    This can be the code for generateID(), it's a basic UUID code generation:

    public static function v4() 
{
    return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',

    // 32 bits for "time_low"
    mt_rand(0, 0xffff), mt_rand(0, 0xffff),

    // 16 bits for "time_mid"
    mt_rand(0, 0xffff),

    // 16 bits for "time_hi_and_version",
    // four most significant bits holds version number 4
    mt_rand(0, 0x0fff) | 0x4000,

    // 16 bits, 8 bits for "clk_seq_hi_res",
    // 8 bits for "clk_seq_low",
    // two most significant bits holds zero and one for variant DCE1.1
    mt_rand(0, 0x3fff) | 0x8000,

    // 48 bits for "node"
    mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
    );
}

    No strings attached to anything on your system.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥20 测距传感器数据手册i2c
  • ¥15 RPA正常跑,cmd输入cookies跑不出来
  • ¥15 求帮我调试一下freefem代码
  • ¥15 matlab代码解决,怎么运行
  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法