我正在创建一个 PHP 登录系统。用户将收到一封电子邮件,其中包含指向将检查一次性链接的网站的一次性链接,并以 cookie/会话的形式提供令牌。我的问题是如何拆分令牌和/或一次性链接以防止定时攻击。
我的会话表:
- uid (AI PK)
- datecreated (when welcome email sent with one-time link)
- datevalidated (once one-time link is confirmed and token loaded to the user as cookie/session)
- email (email to which the welcome email has to be sent)
- onetimelink (https://example.com/login/$onetimelink - sent via email)
- token (token which authenticates users for up to a week)
令牌将使用以下代码生成并保存到数据库:
$onetimelink = bin2hex(random_bytes(15));
$token = bin2hex(random_bytes(15));