您的位置:首页 > 编程语言 > PHP开发

php csrf防御

2016-03-31 14:43 531 查看 
<?php
session_start();

class CSRF {
protected static $originCheck = true; //来源控制

//根据token   生成session token
public static function _set_Token( $key=null ) {
if (empty($key))
throw new Exception("key为NULL");

$extra = self::$originCheck ? sha1( $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] ) : ''; //判断是否启用来源验证

$token = base64_encode( time() . $extra . self::_getString( 32 ) ); //一起加密

$_SESSION[ 'csrf_' . $key ] = $token; //放入session

return $token;
}

//生成字符串
protected static function _getString( $length ) {
$text = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijqlmnopqrtsuvwxyz0123456789';
$max = strlen( $text ) - 1;

$string = '';
for ( $i = 0; $i < $length; ++$i )
$string .= $text{intval( mt_rand( 0.0, $max ) )};

return $string;
}

//放入隐藏域
public static function _set_Input_Token( $key ) {
echo "<input type='hidden' name='token' value='".$_SESSION[ 'csrf_' . $key ]."'>";
}

//生成token过期时间

protected static function _set_Time() {
$_SESSION['token_time'] = time();
}

//init初始化
public function _init( $token ) {
CSRF::_set_Token($token);
CSRF::_set_Input_Token($token);
CSRF::_set_Time();
}
}
<pre name="code" class="html"><!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<form action="verifyCsrf.class.php" method="post" >
<?php
require_once 'getCSRF.php';
$c = new CSRF();
$c->_init('token');
?>
用户名:<input type="text" name="username">
<input type="submit" value="提交">
</form>
</body>
</html>



<pre name="code" class="php"><?php
session_start();

class verifyCsrf{

protected static $originCheck = true; //来源控制
public $token;
public $time_token;

public static function _checkToken( $key, $origin ){
if ( !isset( $_SESSION[ 'csrf_' . $key ] ) )
return false;

if ( !isset( $origin[ $key ] ) )
return false;

$hash = $_SESSION[ 'csrf_' . $key ]; //获取存在session中的token

//验证来源  根据加密验证
if( self::$originCheck && sha1( $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] ) != substr( base64_decode( $hash ), 10, 40 ) )
return false;

//验证token
if ( $origin[ $key ] != $hash )
return false;

//验证时间
$expired_time = time() - $_SESSION['token_time'];
if ($expired_time >= 300)
return false;

return true;
}

//跳转
public static function _jump() {
header("Location: " . $_SERVER['HTTP_REFERER']);
}

}

$post['token'] = $_POST['token'];

$vc = verifyCsrf::_checkToken('token',$post);

if ($vc === true) {
//
print_r('success');
} else {
verifyCsrf::_jump();
}



                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                csrf防御
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                
            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航