防止僞造跨站請求的小招式

<?php
class Crumb {

    CONST SALT = "your-secret-salt";

    static $ttl = 7200;

    static public function challenge($data) {
        return hash_hmac('md5', $data, self::SALT);
    }

    static public function issueCrumb($uid, $action = -1) {
        $i = ceil(time() / self::$ttl);
        return substr(self::challenge($i . $action . $uid), -12, 10);
    }

    static public function verifyCrumb($uid, $crumb, $action = -1) {
        $i = ceil(time() / self::$ttl);

        if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb ||
            substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb)
            return true;

        return false;
    }

}

 

　　代碼中的$uid表示用戶唯一標識，而$ttl表示這個隨機串的有效時間。