使用PHP验证rfc2616日期字符串

Question

For security, requests to a PHP webservice will require a Date: header.

I need to calculate if the Date: header is within 15 minutes of the computer clock. I can easily do this by comparing

$dt = new DateTime($_SERVER['HTTP_DATE']);

to the actual date. However, strotime also supports formats such as "now", which will always be 'valid'.

Is there a straightforward way to make sure people specify an absolute date. Strictly checking RFC2616 is even better, but not a requirement.

See: http://www.ietf.org/rfc/rfc2616.txt section 3.3.1

Answer 1

Did some research and it looks like you can solve this using strptime() . Note that this is untested, and I'm just guessing that strptime() will properly convert the string to GMT based on the supplied timezone. This should at least get you started.

$in = $_SERVER['HTTP_DATE'];
$out = 0;

$strptime_patterns = array(
    // Matches: Sun, 06 Nov 1994 08:49:37 GMT
    '%a, %d %h %Y %H:%M:%S %z',
    '%a, %d %h %Y %H:%M:%S %Z',
    // Matches: Sunday, 06-Nov-94 08:49:37 GMT
    '%A, %d-%h-%y %H:%M:%S %z',
    '%A, %d-%h-%y %H:%M:%S %Z',
    // Matches: Sun Nov  6 08:49:37 1994
    '%a %h %e %H:%M:%S %Y'
);

foreach ($strptime_patterns as $pat) {
    if ($arr = strptime($in, $pat)) {
        $out = mktime($arr['tm_hour'], $arr['tm_min'], $arr['tm_sec'], $arr['tm_mon'], $arr['tm_mday'], $arr['tmp_year'] + 1900);
        break;
    }
}

if ($out > gmmktime()) {
    // Invalid date - in the future
} elseif ($out >= gmmktime() - (15 * 60)) {
    // Valid, not expired
} elseif ($out > 0) {
    // Valid date, but expired
} else {
    // Invalid date
}

Answer 2

$request_time = strtotime($_SERVER['HTTP_DATE']);
$server_time = time();
$difference = abs($request_time - $server_time);
if($difference <= (15 * 60)) {
    //good to go
}

This just converts them both to Unix timestamps and compares them to make sure they're less than or equal to 15 minutes apart.