简体   繁体   English

如何将加密的数据保存在Cookie中(使用php)?

[英]How to save encrypted data in cookie (using php)?

I would like to save data in cookies (user name, email address, etc...) but I don't the user to easily read it or modify it. 我想将数据保存在Cookie(用户名,电子邮件地址等)中,但我不希望用户轻松读取或修改它。 I need to be able able to read the data back. 我需要能够读回数据。 How can I do that with php 5.2+? 我该如何使用php 5.2+?

It would be used for "welcome back bob" kind of feature. 这将用于“欢迎回来鲍勃”的功能。 It is not a replacement for persistence or session storage. 它不能替代持久性或会话存储。

We use mcrypt in our projects to achieve encryption. 我们在项目中使用mcrypt来实现加密。 Below is a code sample based on content found on the internet: 以下是基于Internet上的内容的代码示例:

<?php
class MyProjCrypt {

    private $td;
    private $iv;
    private $ks;
    private $salt;
    private $encStr;
    private $decStr;


    /**
     *  The constructor initializes the cryptography library
     * @param $salt string The encryption key
     * @return void
     */
    function __construct($salt) {
        $this->td = mcrypt_module_open('rijndael-256', '', 'ofb', ''); // algorithm
        $this->ks = mcrypt_enc_get_key_size($this->td); // key size needed for the algorithm
        $this->salt = substr(md5($salt), 0, $this->ks);
    }

    /**
     * Generates a hex string of $src
     * @param $src string String to be encrypted
     * @return void
     */
    function encrypt($src) {
        srand(( double) microtime() * 1000000); //for sake of MCRYPT_RAND
        $this->iv = mcrypt_create_iv($this->ks, MCRYPT_RAND); 
        mcrypt_generic_init($this->td, $this->salt, $this->iv);
        $tmpStr = mcrypt_generic($this->td, $src);
        mcrypt_generic_deinit($this->td);
        mcrypt_module_close($this->td);

        //convert the encrypted binary string to hex
        //$this->iv is needed to decrypt the string later. It has a fixed length and can easily 
        //be seperated out from the encrypted String
        $this->encStr = bin2hex($this->iv.$tmpStr);

    }

    /**
     * Decrypts a hex string    
     * @param $src string String to be decrypted
     * @return void
     */
    function decrypt($src) {
        //convert the hex string to binary
        $corrected = preg_replace("[^0-9a-fA-F]", "", $src);
        $binenc = pack("H".strlen($corrected), $corrected);

        //retrieve the iv from the encrypted string
        $this->iv = substr($binenc, 0, $this->ks);

        //retrieve the encrypted string alone(minus iv)
        $binstr = substr($binenc, $this->ks);

        /* Initialize encryption module for decryption */
        mcrypt_generic_init($this->td, $this->salt, $this->iv);
        /* Decrypt encrypted string */
        $decrypted = mdecrypt_generic($this->td, $binstr);

        /* Terminate decryption handle and close module */
        mcrypt_generic_deinit($this->td);
        mcrypt_module_close($this->td);
        $this->decStr = trim($decrypted);

    }
}

I suggest you not only encrypt but also sign the data. 我建议您不仅要加密,还要对数据签名。 If you don't sign the data, you won't be able to tell reliably whether the user modified the data. 如果您不对数据签名,则将无法可靠地判断用户是否修改了数据。 Also, to avoid replay you may want to add some timestamp/validity period information into the data. 另外,为避免重放,您可能需要在数据中添加一些时间戳/有效期信息。

If you don't want your users to read it don't put it in a cookie; 如果您不希望您的用户阅读它,请不要将其放入Cookie; In stead use Session's with a cookie that stays for a longer time. 相反,请使用Session的Cookie保留更长时间。 This way the data stays on the server and not at the computer of the user. 这样,数据将保留在服务器上,而不是保留在用户的计算机上。

See this article about persistant sessions 请参阅有关持久性会话的本文

For encryption example see "symmetric encryption" section in http://www.osix.net/modules/article/?id=606 . 有关加密示例,请参见http://www.osix.net/modules/article/?id=606中的 “对称加密”部分。

To prevent unauthorized modification, use HMAC: http://php.net/hash-hmac , and about hmac in general: http://en.wikipedia.org/wiki/HMAC , http://en.wikipedia.org/wiki/Message_authentication_code 为防止未经授权的修改,请使用HMAC: http ://php.net/hash-hmac,通常使用有关hmac的内容: http : //en.wikipedia.org/wiki/HMAC,http : //en.wikipedia.org/ Wiki /消息验证码

And if you don't have to, don't store sensitive data in a cookie, even encrypted. 而且,如果您不必这样做,也不要将敏感数据存储在cookie中,甚至不要加密。 You may want to read more about "data indirection". 您可能需要阅读有关“数据间接”的更多信息。

If you absolutely must do this then you can use the symmetric encryption functionality in mcrypt . 如果绝对必须这样做,则可以使用mcrypt的对称加密功能。

http://php.net/mcrypt http://php.net/mcrypt

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM