English
English
In PHP, user authentication is the basic link in building secure applications. When comparing passwords or tokens, unsafe string comparison methods may lead to a time attack, allowing the attacker to infer sensitive information. PHP provides a function hash_equals() specifically designed to prevent such attacks, which can compare two strings in a constant time manner to ensure security.
This article will introduce how to use the hash_equals() function to implement a secure user authentication process to avoid common security risks.
Time attack refers to the attacker gradually guessing sensitive information, such as password hash or authentication tokens, by measuring the difference in time required for different input strings by measuring the program.
Traditional string comparison functions (such as == or strcmp ) will return as early as possible when the match fails, resulting in the comparison time dependent on the similarity of the string, thus exposing the information.
hash_equals() is a function provided by PHP 5.6 and above. It is designed to compare two strings at a constant time to avoid information leakage due to differences in return time.
Function prototype:
bool hash_equals(string $known_string, string $user_string)
$known_string : a known string (usually a stored hash value).
$user_string : The string entered by the user (value that needs to be verified).
Return true if two strings are equal, otherwise return false .
Suppose that when the user registers, we have the password hashed and stored it using a security algorithm. When logging in, we need to verify the password entered by the user.
Sample code:
<?php
// When user registration,Store password hash to the database
$password = 'user_password123';
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// When the user logs in,Verify password
$input_password = $_POST['password'] ?? '';
// Verify password
if (password_verify($input_password, $hashed_password)) {
// Take out the hash string saved in the database
$stored_hash = $hashed_password;
// Rehash the user's password for comparison(The demonstration scenario here is verification tokens and other situations)
$input_hash = hash('sha256', $input_password);
// use hash_equals Constant time comparison
if (hash_equals($stored_hash, $input_hash)) {
echo "Successful certification";
} else {
echo "Authentication failed";
}
} else {
echo "Authentication failed";
}
?>
Note : In the above example, password_verify() itself has securely verified the password hash, and hash_equals() is suitable for scenarios that verify API tokens or custom hash values.
In many scenarios, we need to verify whether the API token passed by the user matches the token stored on the server. If you use == directly, there is a risk of time attack.
Example:
<?php
// Server-side storageAPIToken
$stored_token = 'abc123def456';
// 用户提交的Token
$provided_token = $_GET['token'] ?? '';
// Make a safe comparison
if (hash_equals($stored_token, $provided_token)) {
echo "Token验证通过";
} else {
echo "Token验证失败";
}
?>
In this way, even if the tokens do not match, the attacker cannot infer the correct token by comparing the time-consuming process.
hash_equals() provides a constant time string comparison that prevents time attacks.
In password verification, it is recommended to use password_hash() and password_verify() , and hash_equals() is suitable for secure comparisons of tokens or hash values.
By rationally using hash_equals() , the security of the authentication process can be significantly improved and the risk of sensitive information leakage can be reduced.
If you want to learn more about PHP security certification best practices, you can visit https://gitbox.net/php-security .
