1
我必须通过发布请求(使用Flash上传器)提交用户会话ID。 项目基于Zend Framework。将PHP会话存储在JS变量中?
现在的IAM不知道如果我的实现是 “安全”:
查看
var session = "<?= Anon_SimpleCrypt::encrypt(Zend_Session::getId(), 'SOME_KEY'?>";
控制器:
$sessionId = $_POST['SESSION_ID'];
$sessionId = Anon_SimpleCrypt::decrypt($sessionId, 'SOME_KEY');
Zend_Session::setId($sessionId);
加密/解密:
public static function encrypt($value, $encryptionKey)
{
$result = '';
$encryptionKey = $encryptionKey . self::getSalt($value);
for ($count = 0; $count < strlen($value); $count++) {
$char = substr($value, $count, 1);
$keychar = substr($encryptionKey, ($count % strlen($encryptionKey)) - 1, 1);
$char = chr(ord($char) + ord($keychar));
$result.=$char;
}
return base64_encode($result);
}
public static function decrypt($value, $encryptionKey)
{
$result = '';
$value = base64_decode($value);
$encryptionKey = $encryptionKey . self::getSalt($value);
for ($i = 0; $i < strlen($value); $i++) {
$char = substr($value, $i, 1);
$keychar = substr($encryptionKey, ($i % strlen($encryptionKey)) - 1, 1);
$char = chr(ord($char) - ord($keychar));
$result.=$char;
}
return $result;
}
在Cookie中存储sessionId与通过javascript变量提供sessionId不同。该cookie应该标记为HTTPOnly,完全是为了防止它可用于JavaScript。 – Jacco 2012-07-09 12:47:21