doufei1852 2014-01-07 14:25
浏览 88
已采纳

PHP用户通过电子邮件验证

I'm working on a php/laravel-4 project, and we need to auto authenticate users coming from the links in the emails we send them, we need to have time limit for links so a link in email would not authenticate after the expire time is passed, I've come to this approach but I have some doubts about it's security:

first I make a md5 hash using user's email, timestamp and a secret key like this:

$timestamp = time();
$hash = md5($email . $timestamp . $secret_key);

then I can generate a url like this:

$url = "http://www.example.com/url?email={$email}&hash={$hash}&timestamp={$timestamp}

so then I can check the timestamp (for time validation) and regenerate the hash and authenticate the user with the provided email, do you think it has any security flaw? if yes please suggest me the secure method.

  • 写回答

4条回答 默认 最新

  • dsyk33753 2014-01-07 18:28
    关注

    I would not do that. What I would do:

    Create a table for your links:

    public function up()
{
    Schema::create('login', function($table) {
        $table->string('id')->primary();

        $table->string('user_id');

        $table->timestamps();
    });
}

    Every time you generate a link you add a line to this table:

    $user = User::find(1);

$login = Login::create(['id' => Login::generateID(), 'user_id' => $user->id]);

$url = "http://www.example.com/url?login_id={$login->id}"

    Then when your user click the link you can automatically log him in, also, immediatelly invalidate that link:

    $login = Login::findOrFail(Input::get('login_id'));

$user = User::find($login->user_id);

Auth::login($user);

$login->delete();

    And create an Artisan Command to periodiacally delete old records on that table:

    Login::where('created_at', '<=', Carbon\Carbon::now()->subDays(2))->delete();

    This can be the code for generateID(), it's a basic UUID code generation:

    public static function v4() 
{
    return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',

    // 32 bits for "time_low"
    mt_rand(0, 0xffff), mt_rand(0, 0xffff),

    // 16 bits for "time_mid"
    mt_rand(0, 0xffff),

    // 16 bits for "time_hi_and_version",
    // four most significant bits holds version number 4
    mt_rand(0, 0x0fff) | 0x4000,

    // 16 bits, 8 bits for "clk_seq_hi_res",
    // 8 bits for "clk_seq_low",
    // two most significant bits holds zero and one for variant DCE1.1
    mt_rand(0, 0x3fff) | 0x8000,

    // 48 bits for "node"
    mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
    );
}

    No strings attached to anything on your system.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥50 永磁型步进电机PID算法
  • ¥15 sqlite 附加(attach database)加密数据库时,返回26是什么原因呢?
  • ¥88 找成都本地经验丰富懂小程序开发的技术大咖
  • ¥15 如何处理复杂数据表格的除法运算
  • ¥15 如何用stc8h1k08的片子做485数据透传的功能?(关键词-串口)
  • ¥15 有兄弟姐妹会用word插图功能制作类似citespace的图片吗?
  • ¥200 uniapp长期运行卡死问题解决
  • ¥15 latex怎么处理论文引理引用参考文献
  • ¥15 请教:如何用postman调用本地虚拟机区块链接上的合约?
  • ¥15 为什么使用javacv转封装rtsp为rtmp时出现如下问题:[h264 @ 000000004faf7500]no frame?