在 php 和站点安全中设置 cookie
我正在建立一个论坛,但我不确定设置 cookie 的最佳实践。
这是我在用户注册站点时构建的 cookie:
setCookie($name,$ip,time()+300000,"/");
而不是:time()+300000。我希望饼干永远存在,但我不知道该怎么做。
另外,我有一个关于安全的问题。如何检查 cookie 是否未被篡改或被黑客设置?
另一个问题,如何检查用户是否允许其浏览器上的cookie?
更新:
我在登录验证有效后立即添加此内容: setCookie($name,$ip,time()+60*60*24*365,"/");
更新:
if(!isset($_COOKIE['$name'])
{
$salt="[email protected]";
$hash = SHA2(salt + $_POST['pass']);
setCookie($name,$hash,time()+60*60*24*365*50,"/");
}
I am building a forum and I am not sure about the best practices of setting up a cookie.
Here is the cookie that I build as user registers the site:
setCookie($name,$ip,time()+300000,"/");
instead of this: time()+300000. I want the cookie last forever, but I am not sure how to do it.
Also, I have a question regarding on security. how do I check that the cookie wasnt tampered or set by a hacker?
Another question, how do I check if the user allows cookies on his browser?
UPDATE:
I put this as soon as login validation is valid:
setCookie($name,$ip,time()+60*60*24*365,"/");
UPDATE:
if(!isset($_COOKIE['$name'])
{
$salt="[email protected]";
$hash = SHA2(salt + $_POST['pass']);
setCookie($name,$hash,time()+60*60*24*365*50,"/");
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
对于持续时间,只需使用足够大的数字而不是
300000。time() + 60 * 60 * 24 * 366 * 15为您提供 15 年。为了防止篡改,请使用安全哈希函数(例如SHA-2),存储秘密
salt(例如,256 位随机字符串)在您的服务器上,计算hash = SHA2(salt + data)并设置一个保存hash< /代码>。现在,当您读取 cookie 时,您所要做的就是验证
hash具有正确的值。For duration, just use a big enough number instead of
300000.time() + 60 * 60 * 24 * 366 * 15gives you 15 years.To prevent tampering, use a secure hash function (like SHA-2), store a secret
salt(a 256-bit random string, for example) on your server, computehash = SHA2(salt + data)and set a cookie that holdshash.Now, when you read the cookies, all you have to do is verify that
hashhas the correct value.饼干是这样的。任何人都可以改变它们。您可以使用 Sessions 来提高安全性,或者在每次使用时检查 cookie 值以确保它们没有改变。
您也可以对它们进行加密,但 cookie 有字符数限制,加密会使它变得更大,所以这不是一个很好的解决方案。
关于“永久cookie”,您可以设置50年左右的过期时间。
Cookies are this way. They can be changed by anyone. You can use Sessions to be more secure, or check cookies values every time you use them to make sure they did not change.
You also can encrypt them, but cookies has characters limits and encrypting will make it bigger, so it's not a great sollution.
About the "ever lasting cookies", you can set like 50 years to expire.
您不能永远不设置 cookie,但您可以将其设置很长一段时间,并在用户访问您的网站时随时刷新。
对于第二部分:将 cookie 值另外保存在您的数据库中,如果它们匹配,您就设置它,如果不是有人试图操纵某些东西。
另一种选择是仅在 cookie 中存储标识符,并将值存储在数据库中。但要小心并确保没有人能猜出这些标识符。
顺便说一句:我不认为用户的 IP 必须永远存储在他的 cookie 中,因为大多数人每天都需要一个新的永久 cookie :-D
更新:
使用用户 ip 进行识别并不好,它会改变每天。
这样做:
为数据库中的每个用户保存一个盐。随机生成它,如
“jfdklsjfdsohfdsughfdjkhg”。如果用户登录,除了保存用户 ID 的 cookie 之外,还保存 cookie"LoggedIn"以及值md5($username.$salt)。如果您读取 cookie,则只需将哈希值与md5(databaseName.databaseHash) 进行比较。如果相等,则 cookie 是好的。您必须确保该系统中的盐受到良好的保护(只有您的系统应该知道)。You can not set a cookie for ever, but you can set it for a very long time and refresh it anytime a user is visiting your site.
To the second part: save the cookie values additionally in your database, and if they match you set it, if not someone tried to manipulate something.
Another option would be that you only store an identifier in the cookie and the values in your database. But be careful and make sure noone can guess those identifiers.
Btw: I don't think the user's IP has to be stored in his cookie for ever, beacause most people would need a new everlasting cookie every day :-D
UPDATE:
It is not good to use the users ip for identification, it changes every day.
Do it like this:
save a salt for every user in the database. Generate it randomly like
"jfdklsjfdsohfdsughfdjkhg". If user logs in save cookie"LoggedIn"with the Valuemd5($username.$salt)additional to a cookie saving the users id. If You read the cookie you only have to compare the hash withmd5(databaseName.databaseHash).If it is equal, the cookie is good. You have to be sure the salt is well protected in this system (only your system should know it).您不能永远设置 cookie。您可以为 cookie 设置较长的有效期。
请将数据保存在您的数据库或会话中并尝试匹配它们。推荐使用session而不是使用cookie,session数据无法修改。
You cannot set a cookie forever. You can set a long expiry for a cookie.
Please save data in your db or session and try to match them. It is recommended to use session than using cookie, session data cannot be modified.