php cookie防篡改

I use this code on my website:

<?php
$pass = "61e7680d2ac47e5b9e3c82118fae6e3cfcddff285ac75bb82872bb01f24ac657";
function valCookie(){
    if (isset($_COOKIE['session'])){
        $cookie = json_decode(hex2bin($_COOKIE['session']), true);
        global $pass;
        $hash = hash('sha256', $_SERVER['REMOTE_ADDR'] . $cookie['uid'] . 
        $cookie['expiry'] . $pass);
        $uid = $cookie['uid'];
        if ((hash_unique($hash, $cookie['hash'])) && ($cookie['expiry'] > time())){
            return $uid; //return user id.
            }
        }
    }
function hashCookie($uid, $expiry){
    global $pass;
    $cookie['uid'] = $uid;
    $cookie['expiry'] = $expiry;
    $cookie['hash'] = hash('sha256', $_SERVER['REMOTE_ADDR'] . $cookie['uid'] . 
    $cookie['expiry'] . $pass);
    $hexCookie = bin2hex(json_encode($cookie));
    setcookie("session", $hexCookie, $expiry);
    if(strlen($uid)){
        return true;
        }
    }
?>

Is it safe to use this to tamper-proof my cookies? I include the time in the hashing to expire the cookie. is this a secure way of doing it?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douyue8364 2018-10-04 05:43
关注
It's generally a bad idea to roll your own crypto.

Is it safe to use this to tamper-proof my cookies? I include the time in the hashing to expire the cookie. is this a secure way of doing it?

No, you're using a SHA256 hash of values that can largely be provided by attackers instead of HMAC-SHA256. Without HMAC, SHA256 is vulnerable to length-extension attacks.

Instead, consider (in order of preference):

PASETO, which provides tamper-resistant tokens with a high security margin. The only downside is that they're not immune to replay attacks.

JWT, with HS256. The linked library will allow you to securely only ever allow HS256, thereby side-stepping 99.9% of JWT security fails.

Halite's Cookie class. Halite is a usability wrapper for libsodium, a modern cryptography library that now ships with PHP 7.2.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PHP读取cookie php
2022-07-17 17:45

回答 1 已采纳 username 改成zl
PHP迭代cookie数组 javascript jquery php
2019-06-20 10:32

回答 1 已采纳 The solution was much simpler than I actually thought... I did it with JQuery like this: .......
PHP无法读取javascript cookie javascript php
2015-07-28 09:21

回答 3 已采纳 <!DOCTYPE html> <html> <head> <title>example</title> <s
php cookie防伪造,Cookie 防伪造防修改
2021-04-22 09:28

Ruogo的博客主要防止非法用户修改cookie信息，以及cookie的超时时间传统cookie存储，Cookie(name, value)，value很容易就被篡改。防修改cookie存储，Cookie(name, value+“”+ signToken+“”+saveTime+“”+maxTime)signToken ...
Cookie在PHP过期之前被删除 php
2018-08-03 09:13

回答 1 已采纳 So, The problem was the connection to database, It was unsuccessful...
PHP拒绝接受cookie firefox html php
2016-06-24 13:47

回答 1 已采纳 Your script looks like that youre redirecting in a circle. Main.php-> main.php -> main.php a
PHP Cookie为1天 php
2015-07-16 09:47

回答 1 已采纳 setcookie("CookieName", $CookieValue, time()+86400); This will set a cookie for 24 hours. You ca
php cookie防伪造,Cookie防伪造防修改
2021-04-22 09:29

tommmaso的博客主要防止非法用户修改cookie信息，以及cookie的超时时间传统cookie存储，Cookie(name, value)，value很容易就被篡改。防修改cookie存储，Cookie(name, value+“”+signToken+“”+saveTime+“”+maxTime)signToken：...
浏览器窗口关闭PHP时销毁cookie php
2018-07-05 08:12

回答 3 已采纳 Ideally cookie created through SETCOOKIE function in PHP with its expire time 0, it will be delete
禁用cookie的php setcookie行为 php
2016-08-25 14:45

回答 3 已采纳 Cookies are sent via http header. Headers can ALWAYS be sent. Whether they're accepted/ignored is
用PHP读取Javascript cookie javascript php
2014-04-21 21:54

回答 2 已采纳 Ok I solved my issue apparently you can only read a cookie that was set on the same domain... #Duh
php cookie防伪造,技术分享：Cookie 防伪造防修改
2021-04-22 09:29

关灯拆电影的博客原标题：技术分享：Cookie 防伪造防修改主要防止非法用户修改cookie信息，以及cookie的超时时间传统cookie存储，Cookie(name, value)，value很容易就被篡改。防修改cookie存储，Cookie(name, value+“”+ sign...
无法检索php cookie值 php
2015-03-27 14:15

回答 3 已采纳 Finally I found the solution. The path parameter was missing in setcookie function. When I set th
php考试分数防止篡改,防篡改php文件校验程序
2021-04-21 08:26

机器人农场的博客 /*** 校验线上源文件是否和本地的一致* User: Administrator* Date: 2015/11/26* Time: 9:30*/include_once 'functions.php';class SrcVerifier{var $md5_files = array();var $total = 0;public function scan($dir...
【PHP基础-8】Cookie机制详解及Cookie身份认证应用案例
2022-04-06 11:03

像风一样9的博客目录1 Cookie 概述1.1 Cookie 机制1.2 什么是Cookie1.3 Cookie 认证机制1.4 Cookie 属性1.5 Cookie的安全性问题2 Cookie 应用2.1 Cookie 相关操作命令2.2 应用案例实验2.2.1 实验要求2.2.2 实验环境2.2.3 案例代码...
没有解决我的问题, 去提问

悬赏问题

¥15 unity第一人称射击小游戏，有demo，在原脚本的基础上进行修改以达到要求
¥15 买了个传感器，根据商家发的代码和步骤使用但是代码报错了不会改，有没有人可以看看
¥15 关于#Java#的问题，如何解决？
¥15 加热介质是液体，换热器壳侧导热系数和总的导热系数怎么算
¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
¥15 cmd cl 0x000007b
¥20 BAPI_PR_CHANGE how to add account assignment information for service line
¥500 火焰左右视图、视差（基于双目相机）
¥100 set_link_state
¥15 虚幻5 UE美术毛发渲染

php cookie防篡改

1条回答 默认 最新

悬赏问题

1条回答默认最新