PHP：保护会话变量/验证码的任何方法？

I've made some image validation. The user has to enter the code from the dynamically generated image.

This code is being used in the main php file:

@session_start();
if (isset($_POST['session_pw'])&&$_SESSION['result']==$_POST['security_im']) {
    $_SESSION['pw']=$_POST['session_pw'];
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['pw']=='mypassword'&&$_SESSION['ip'] == $_SERVER['REMOTE_ADDR']){

        // OK we are in.
    // Otherwise display a login form:
}else echo <<<EOD
    <form method="POST">
    <font color="blue"> Authorization is required:</font><br>
    <input type="text" name="security_im" style="text-align:right;padding-right:1px;background-repeat:no-repeat;background-image:url(../imagecheck.php)"><br>
    <input type="password" name="session_pw" style="text-align:right;padding-right:1px"><br>
    <input type="submit" style="margin:0px">
    </form>
EOD;

Note this:

background-image:url(../imagecheck.php)

This is how I call the generated image. And this is it's content:

<?php
session_start();
create_image();
exit();

function create_image() {
    $md5 = "";
    while (strlen($md5) == 0) {
        $md5 = md5(mt_rand());
        $md5 = preg_replace('/[^0-9]/', '', $md5);
    }
    $pass = substr($md5, 10, 5);
    $_SESSION['result'] = $pass;
    $width = 60;
    $height = 20;
    $image = ImageCreate($width, $height);

    //We are making three colors, white, black and gray
    $clr[1] = ImageColorAllocate($image, 204, 0, 204);
    $clr[2] = ImageColorAllocate($image, 0, 204, 204);
    $clr[3] = ImageColorAllocate($image, 204, 204, 0);

    $R = rand(1, 3);
    $black = ImageColorAllocate($image, 255, 255, 255);
    $grey = ImageColorAllocate($image, 204, 204, 204);

    //Make the background black
    ImageFill($image, 0, 0, $black);

    //Add randomly generated string in white to the image
    ImageString($image, 5, 7, 2, $pass, $clr[$R]);

    //Throw in some lines to make it a little bit harder for any bots to break
    imageline($image, 0, 0, $width - 2, $height - 2, $grey);
    imageline($image, 0, $height - 2, $width - 2, 0, $grey);
    ImageRectangle($image, 0, 0, $width - 1, $height - 1, $grey);

    //Tell the browser what kind of file is come in
    header("Content-Type: image/jpeg");
    //Output the newly created image in jpeg format
    ImageJpeg($image, null, 80);
    //Free up resources
    ImageDestroy($image);
}
?>

Note:

$_SESSION['result'] = $pass;

This is how I store key in the session.

Now, the problem is, the image can be potentially blocked, and the session key will not change from the last stored result. This means a huge threat. I wonder if there any protection or workaround possible?

Please answer only if you understand the question and security :-)

展开全部

写回答
好问题 0 提建议
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douzhi7754 2012-06-27 16:54
关注
You should be more concerned about caching than about blocked requests. Background images might not be refreshed until you include some Cache-Control headers etc.

What's more important is to prevent replays. To do so, you should have:

A timestamp value. And make the captcha validation refuse to accept older values.

Clear the captcha session state after one or two successful validations.

The background image not being loaded ("blocked") just means you won't have a valid token in the session store to begin with. That's not a problem, unless your verification logic is badly designed.

Lastly, the effectiveness of your captcha doesn't increase with random lines in the image. It's just as effective as uncommon your form structure is. Once a spider adapts to your custom variation, it's pretty simple to circumvent. The faux security lies in its obscurity. While not such a great learning experience, a readymade captcha script might be advisable.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报
编辑

预览
轻敲空格完成输入
显示为

卡片

标题

链接
评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

编辑

预览

报告相同问题？

关注问题

PHP / CSS：未加载我的会话变量 css php
2018-08-29 19:20

回答 3 已采纳 New Answer PHP Constants need to be generated when the page/script is generated and will only las
PHP：使用会话变量时，登录页面无法进入主页 php
2016-02-16 23:58

回答 1 已采纳 You are missing session_start() on your checklogin.php. Without session_start() your following co
我的PHP会话变量出了什么问题？ php
2015-10-19 22:34

回答 1 已采纳 <?php $userLabel = $row[3]; ?> <p><font>Hello <?php echo $userLabel; ?>.&
php生成图片验证码的方法
2020-12-18 06:34

- 在服务器端，通常会使用 `session_start()` 开启会话，并将生成的验证码保存到 $_SESSION 变量中，以便在提交表单时进行验证。前端部分，HTML 和 JavaScript 代码用于显示验证码图像和提供刷新功能。当用户点击...
PHP准备语句与MySQL会话变量 mysql php
2019-02-04 12:28

回答 2 已采纳 As Bill Karwin said, you can only run one query in a prepared statement. Another way to solve it i
如何将会话变量传递到PHP中的表单？ php
2018-06-07 01:37

回答 1 已采纳 Just break out from the string and concatenate, like this: echo "<form method='POST' action='"
防止PHP / Redis会话D / DoS攻击 php redis
2019-02-16 07:45

回答 1 已采纳 I believe I have a solution identified outside of leveraging a firewall. In Redis for both the us
php实现汉字验证码和算式验证码的方法
2020-10-24 06:58

标题中提到的“php实现汉字验证码和算式验证码的方法”，主要涵盖了在PHP环境下生成汉字和算式形式的验证码的技术要点。在描述部分强调了这些验证码的实用性，特别是在安全性方面，汉字和算式验证码相较于传统的数字...
PHP会话变量请求时间 php
2019-03-07 03:29

回答 1 已采纳 Unless you do these session read/write operations millions of times (e.g. in a loop) you shouldn't
C＃：如何将PHP会话变量发送到WebBrowser控件？ c# php
2010-07-21 06:41

回答 1 已采纳 PHP has two ways to work with sessions: set a cookie, or mangle every URL on the page to include t
如何使用php会话变量传递jquery变量 html jquery php
2018-06-20 03:00

回答 2 已采纳 Using Below code you can send count value to secondpage.php and in second page use $_POST['count_v
利用PHP绘图函数实现简单验证码功能的方法
2020-12-18 21:32

在给定的代码中，`$checkCode` 变量用于存储验证码的值。通过循环`for ($i=0; $i; $i++)`，我们可以随机生成4个1到15之间的十进制数字，然后使用`dechex()`函数将其转换为十六进制形式。这样做是为了确保生成的...
PHP自定义大小验证码的方法详解
2020-10-26 23:36

当用户提交表单时，需要将用户输入的验证码与服务器端会话变量中的文字进行比对，如果一致则验证通过，否则提示用户输入错误，需要重新输入。 PHP中自定义验证码大小的实现方法比较灵活，开发者可以根据实际需要...
php生成图形验证码几种方法小结
2020-10-26 15:56

首先开启session会话，然后定义验证码图像的尺寸、文字数量和字体。在函数中创建图像资源，并且根据指定的颜色来分配背景色、边框色和文字色。与方法一类似，先画背景和边框，之后通过循环添加干扰线和点。最后，...
PHP生成图像验证码的方法小结(2种方法)
2020-12-19 08:57

将这两个数字相加的结果保存在会话变量中，以供后续验证使用。接着，设置图片背景色，创建背景，并在画布上随机生成干扰点。最后，使用`imagestring`将数字、运算符和等号写入图片，输出图像并销毁资源。 2. **生成...
没有解决我的问题, 去提问

PHP：保护会话变量/验证码的任何方法？

2条回答 默认 最新

2条回答默认最新