stackoom
  简体   繁体   中英

how to make more secure backend and urls with zend?

 原文  2014-04-17 04:46:13       php/ security/ magento/ zend-framework

Question

I am trying to make a backend with Zend, I was wondering if there is any way to make it more secure, any special framework to use? I read I could use : Is there something like Acegi for PHP?

how secure is this? I have used spring security before, and it always worked great, is there something similar to work on zend? are those options ok?

I also checked magento, and for example, urls are like this 

index/key/8555b140ead18e6c004037e5c82d6478/

that is the url if I want to enter to the catalogo, and so on, they only change the key instead change the url for a controller name, that key is a route for security reasons? or is dynamically created by the framework? (as far as I know , they use Zend).

Thanks.

1 answers

solution1
 2 ACCPTED  2014-04-17 06:33:19

That key is generated depending on the route you are accessing and a random string that changes each time the session is restarted.
So for each login you get a different session key.
The downside of this approach is that you can't give to someone else an admin url and tell him "Hey! look here", because they session key is different.

If you want to check how this feature is implemented, take a look at the following code in Mage_Adminhtml_Model_Url::getUrl() : 

$_route = $this->getRouteName() ? $this->getRouteName() : '*';
$_controller = $this->getControllerName() ? $this->getControllerName() : $this->getDefaultControllerName();
$_action = $this->getActionName() ? $this->getActionName() : $this->getDefaultActionName();

if ($cacheSecretKey) {
    $secret = array(self::SECRET_KEY_PARAM_NAME => "\${$_controller}/{$_action}\$");
}
else {
   $secret = array(self::SECRET_KEY_PARAM_NAME => $this->getSecretKey($_controller, $_action));
}

This is the code that generates the secret key. Going deeper in getSecretKey method you will see: 

public function getSecretKey($controller = null, $action = null)
{
    $salt = Mage::getSingleton('core/session')->getFormKey();

    $p = explode('/', trim($this->getRequest()->getOriginalPathInfo(), '/'));
    if (!$controller) {
        $controller = !empty($p[1]) ? $p[1] : $this->getRequest()->getControllerName();
    }
    if (!$action) {
        $action = !empty($p[2]) ? $p[2] : $this->getRequest()->getActionName();
    }

    $secret = $controller . $action . $salt;
    return Mage::helper('core')->getHash($secret);
}

So the secret key is a hash build from the controller name, the action name and a $salt generated this way Mage::getSingleton('core/session')->getFormKey();

The getFormKey method looks like this (one value per session): 

public function getFormKey()
{
    if (!$this->getData('_form_key')) {
        $this->setData('_form_key', Mage::helper('core')->getRandomString(16));
    }
    return $this->getData('_form_key');
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to make more secure login system with codeigniter? How to make this login/redirect method more secure How to make php website more secure How to make GET web service more secure How to make php more secure in unity How to make files and folders more secure? How can I make $_SESSIONs more secure? How to make my code more secure How can I make this more secure? How could I make this PHP $_POST more secure? -Or is it secure already?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM