PHP-这对于唯一的会话令牌足够安全吗?
[英]PHP - Is this secure enough for unique session tokens?
问题描述
I am creating a PHP application and need user authentication to be as secure as possible! 
我正在创建一个PHP应用程序,并且需要用户身份验证才能尽可能安全!
Once the user has logged-in I need to set a cookie (along with other cookies) with a session identifier and this has to be unique. 用户登录后,我需要设置一个带有会话标识符的cookie(以及其他cookie),并且它必须是唯一的。
<?php
// Set default timezone for time() function.
date_default_timezone_set("Europe/London");
$secure_token_length = 16; // 32-Digits Long.
// Generate unique token.
$token = time() . "-" . bin2hex(openssl_random_pseudo_bytes($secure_token_length, $strong));
// Set session identifier.
setcookie("session", $token, 0, "/app/", false, false, true);
?>
As you can see I'm creating a unique token and appending the current UNIX timestamp to ensure that this value is not generated twice, The secure token is stored in a database within a UNIQUE column and the token is not inserted into the database if it is already in use (Using PHP's Do-While function), Any advice on how to make this more secure please comment. 如您所见,我正在创建唯一的令牌并附加当前的UNIX时间戳,以确保不会两次生成该值。安全令牌存储在数据库中的UNIQUE列中,并且如果令牌未插入数据库中已在使用中(使用PHP的Do-While函数),有关如何使其更加安全的任何建议,请发表评论。
1 个解决方案
解决方案1
0 2016-04-19 20:45:41
If you want it to be "secure as possible" then please use an established method rather than trying to create your own. 如果您希望它“尽可能安全”,请使用已建立的方法,而不要尝试创建自己的方法。 For example, let a third-party authenticate for you just like StackOverflow allows you to login with Facebook, Yahoo, etc... 例如,让第三方为您进行身份验证,就像StackOverflow允许您使用Facebook,Yahoo等登录一样。
Additionally, PHP has built-in session handling functions which can work with both cookies and databases, OWASP has a guide on how to securely manage your sessions, I don't understand why you're trying to reinvent the wheel here by generating your own session tokens. 此外,PHP具有内置的会话处理功能,可与Cookie和数据库一起使用, OWASP包含有关如何安全管理会话的指南,我不明白您为什么尝试通过生成自己的会话来重新发明轮子会话令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.