如何使用zend制作更安全的后端和URL?
[英]how to make more secure backend and urls with zend?
问题描述
I am trying to make a backend with Zend, I was wondering if there is any way to make it more secure, any special framework to use? 
我正在尝试使用Zend做一个后端,我想知道是否有任何方法可以使其更安全,可以使用任何特殊框架? I read I could use : Is there something like Acegi for PHP? 我读到我可以使用: 是否有类似Acegi的PHP?
how secure is this? 这有多安全? I have used spring security before, and it always worked great, is there something similar to work on zend? 我以前使用过spring security,它一直都很好用,在zend上有类似的东西吗? are those options ok? 这些选择好吗?
I also checked magento, and for example, urls are like this 我还检查了magento,例如,URL像这样
index/key/8555b140ead18e6c004037e5c82d6478/
that is the url if I want to enter to the catalogo, and so on, they only change the key instead change the url for a controller name, that key is a route for security reasons? 如果要输入到Catalogo,则为url,依此类推,他们仅更改密钥,而是更改控制器名称的url,出于安全原因,该密钥是路由? or is dynamically created by the framework? 还是由框架动态创建? (as far as I know , they use Zend). (据我所知,他们使用Zend)。
Thanks. 谢谢。
1 个解决方案
解决方案1
2 已采纳 2014-04-17 06:33:19
That key is generated depending on the route you are accessing and a random string that changes each time the session is restarted. 根据您正在访问的路由以及每次会话重新启动时都会更改的随机字符串生成该密钥。
So for each login you get a different session key. 因此,对于每次登录,您都会获得不同的会话密钥。
The downside of this approach is that you can't give to someone else an admin url and tell him "Hey! look here", because they session key is different. 这种方法的缺点是您不能给别人一个管理URL并告诉他“嘿!看这里”,因为他们的会话密钥是不同的。
If you want to check how this feature is implemented, take a look at the following code in Mage_Adminhtml_Model_Url::getUrl() : 如果要检查此功能的实现方式,请查看Mage_Adminhtml_Model_Url::getUrl()中的以下代码:
$_route = $this->getRouteName() ? $this->getRouteName() : '*';
$_controller = $this->getControllerName() ? $this->getControllerName() : $this->getDefaultControllerName();
$_action = $this->getActionName() ? $this->getActionName() : $this->getDefaultActionName();
if ($cacheSecretKey) {
$secret = array(self::SECRET_KEY_PARAM_NAME => "\${$_controller}/{$_action}\$");
}
else {
$secret = array(self::SECRET_KEY_PARAM_NAME => $this->getSecretKey($_controller, $_action));
}
This is the code that generates the secret key. 这是生成密钥的代码。 Going deeper in getSecretKey method you will see: 深入getSecretKey方法,您将看到:
public function getSecretKey($controller = null, $action = null)
{
$salt = Mage::getSingleton('core/session')->getFormKey();
$p = explode('/', trim($this->getRequest()->getOriginalPathInfo(), '/'));
if (!$controller) {
$controller = !empty($p[1]) ? $p[1] : $this->getRequest()->getControllerName();
}
if (!$action) {
$action = !empty($p[2]) ? $p[2] : $this->getRequest()->getActionName();
}
$secret = $controller . $action . $salt;
return Mage::helper('core')->getHash($secret);
}
So the secret key is a hash build from the controller name, the action name and a $salt generated this way Mage::getSingleton('core/session')->getFormKey(); 因此,秘密密钥是通过控制器名称,操作名称和以这种方式生成的$salt生成的哈希构建Mage::getSingleton('core/session')->getFormKey();
The getFormKey method looks like this (one value per session): getFormKey方法看起来像这样(每个会话一个值):
public function getFormKey()
{
if (!$this->getData('_form_key')) {
$this->setData('_form_key', Mage::helper('core')->getRandomString(16));
}
return $this->getData('_form_key');
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.