如何正确地使用加密与认证技术(5)
0x05 用Libsodium安全加密Cookies
/*
// At some point, we run this command:
$key = Sodium::randombytes_buf(Sodium::CRYPTO_AEAD_CHACHA20POLY1305_KEYBYTES);
*/
/**
* Store ciphertext in a cookie
*
* @param string $name - cookie name
* @param mixed $cookieData - cookie data
* @param string $key - crypto key
*/
function setSafeCookie($name, $cookieData, $key)
{
$nonce = Sodium::randombytes_buf(Sodium::CRYPTO_SECRETBOX_NONCEBYTES);
return setcookie(
$name,
base64_encode(
$nonce.
Sodium::crypto_secretbox(
json_encode($cookieData),
$nonce,
$key
)
)
);
}
/**
* Decrypt a cookie, expand to array
*
* @param string $name - cookie name
* @param string $key - crypto key
*/
function getSafeCookie($name, $key)
{
$hexSize = 2 * Sodium::Sodium::CRYPTO_SECRETBOX_NONCEBYTES;
if (!isset($_COOKIE[$name])) {
return array();
}
$decoded = base64_decode($_COOKIE[$name]);
$nonce = mb_substr($decoded, 0, $hexSize, '8bit');
$ciphertext = mb_substr($decoded, $hexSize, null, '8bit');
$decrypted = Sodium::crypto_secretbox_open(
$ciphertext,
$nonce,
$key
);
if (empty($decrypted)) {
return array();
}
return json_decode($decrypted, true);
}
对于没有libsodium库的开发人员,我们的一个博客读者,提供了一个安全cookie实现的例子,其使用了defuse/php-encryption(我们推荐的PHP库)。