Hướng dẫn php generate nonce
 A Nonce is a number or a token used only once. You can use Nonce in your pages or forms to add an extra layer of security to your App and one of its features is to differentiate humans from bots. Today, I will show you how to create a simple Nonce in PHP, and how you can validate it. LET’S BEGINFirst, we will create a class that will have private and public methods that will generate and validate our Nonce based on the secret hash which we will define. OUR CLASSNow we need to set up a private function (method) that will generate random characters which is our salt, up to the characters that we will specify in its length parameter. Let us make this method a public function, as we test run our code. Here’s the full code Let us use the new keyword to create an instance of the class, and invoke the generateSalt() method. $nonce = new Nonce();var_dump($nonce->generateSalt(22)); This is our result, notice that the random characters were generated up to the length we specified. Now we need another private method that will take advantage of $_SESSION, to store the generated Nonces using the form ID. Next, we need to create another method that will hash our salt, our secret, and a specific time of expiry as tokens. Then we will generate a nonce by separating each token with a colon and store it in a session variable using the storeNonce method. Here’s the full code So let us invoke the method generateNonce(), and pass in 5 as the first argument (this will be used to generate our salt), form_login as the second argument (this will be the form we wish to use the nonce on), and 10 as the third or last argument (this will be how long our nonce will last for in minutes). $nonce = generateNonce(); Here’s our nonce and its stored value in the session. You can see that we have each token separated by a colon in the generated nonce, and we have it stored in the session by hashing it with md5(). Now we need to code a public method that will verify a nonce and return a boolean (true or false), depending on whether or not the nonce is valid. Before we code this method, you need to understand that:
So we have a few conditions in the method above that checks the nonce. This method will only return true when the checks are successful and false when one or more checks fail. Here are the checks:
Let us create a nonce and verify it to confirm if our class works and we can as well replace the public function generateSalt() with a private function so that it can only be accessed within our class. Here’s the full code So I generated a nonce and passed it as a string to the method and it worked perfectly! To verify your nonces, note that If true is returned, it means that the nonce is still valid, but If false is returned, it means that the nonce is invalid. So our function works perfectly! In order to use this nonce, you need to place the class into a file and include that file into your page using the require() keyword. Then create a new instance of the class, and generate a nonce So there you have it AMAZING ISN’T IT?Make it suit your project by using a very strong secret. Taking note of the response by Chris Smith, I was able to update this article security-wise. Thank You, Chris! Feel free to drop your suggestions and or responses about this article below. You have reached the end of my updated article. EXTRAI am currently test-running a SAAS app that I built to help collect and manage customer reviews and ratings for your website or business. Do you mind checking it out? I’m looking for partners to work with, on this big project. Your feedback will be highly appreciated. Check out Givemeastar(GMAS) Thank You |
