Atitit 登录票据安全法 目录 1.1. cookie对象规范 1 1.2. Cookie加解密 1 1.3. Cookie密文动态更换,根据一个时间3天比如 1 1.4. 服务端撤销key 1
Atitit 登录票据安全法
目录
1.3. Cookie密文动态更换,根据一个时间3天比如 1
Utype
Uname
Uid
Createtime
Key4svrTickAnyTime
可以从服务端撤销客户端的票据 都根据一个相同key验证加密,如果变换,那么验证失败
function setCookie4login()
{
$secret_key = "abcdefgh";
$token['Key4svrTickAnyTime'] = "Key4svrTickAnyTimeTb26";
$token['createTime'] = date('Y-m-d H:i:s');
$token['loginacc_utype'] = $_GET['usertype'];
$token['loginacc'] = $_GET['loginacc'];
$token_json_str = json_encode($token);
$token_ecr=openssl_encrypt($token_json_str, 'AES-128-ECB', $secret_key, 0, "");
setcookie("logincookie", $token_ecr, time() + 3600 * 24, "/");
print_r($token_json_str) ;
setcookie("loginacc", $_GET['loginacc'], time() + 3600 * 24, "/");
setcookie("loginacc_utype", $_GET['usertype'], time() + 3600 * 24, "/");
echo "ok";
}
验证cookie
$secret_key = "abcdefgh";
//echo openssl_encrypt($data, $this->method, $this->secret_key, $this->options, $this->iv);
$logincookie = openssl_decrypt($_COOKIE['logincookie'], 'AES-128-ECB', $secret_key, 0, "");
if (!$logincookie) {
throw new Exception("logincookie decrypt err");
}