dongwuge6201 2012-07-18 09:46
浏览 59
已采纳

如何实现雅虎/ Facebook,如客户端计算机特定的Sing-in密封,以保护客户免受网络钓鱼攻击?

We want to implement sign in seal to reduce risk of phishing attacks on client. We want client to know that he is on our site rather than some replica of our site. Some web search got us example of Yahoo Sign-in-seal feature. Can you guys guide me on implementing such a system?

Details I would like to have suggestions on are specifically database design and whether mechanism will work with cookies or something else, and are there beter solutions for our requirement than Yahoo sign-in seal.

  • 写回答

1条回答 默认 最新

  • drvxclagw656708070 2012-07-18 10:00
    关注

    Have an area of the site where the user can enter some text or select an image. Store this result in your database against the users ID.

    Once this is done, encrypt this value and set it in a cookie.

    // Set a secret key
define('SECRET_KEY', 'HNBG:^yhCY*1omNhRg&');
// Sign in text - get this from the users row in the database
$signinSeal = 'Hello, User!';

// Encrypt value
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($ivSize, MCRYPT_RAND);
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SECRET_KEY, $signinSeal, MCRYPT_MODE_ECB, $iv);
// Concat with IV - base64 so it can be safely sent
$encrypted = base64_encode($iv) . '|' . base64_encode($encrypted);

// Set in a cookie - mark as HTTP only to prevent it being stolen in an XSS attack
setcookie('signinSeal', $encrypted, time() + (60 * 60 * 24 * 30), '/', 'example.com', false, true);

    Now when a user visits your login page, check for the presence of 'signinSeal' cookie, base64 decode it, decrypt and display

    if (array_key_exists('signinSeal', $_COOKIE) && !empty($_COOKIE['signinSeal'])) {
    // Split IV and encrypted string
    $fields = explode('|', $_COOKIE['signinSeal']);
    $iv = base64_decode($fields[0]);
    $encrypted = base64_decode($fields[1]);
    // Decrypt value
    $ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
    $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, SECRET_KEY, $encrypted, MCRYPT_MODE_ECB, $iv);

    // And display to the user
    echo htmlspecialchars($decrypted);
}

    Once they've logged in - I would set the cookie again, to make sure it doesn't expire

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?