Download the PHP package softsmart/simple-nonce without Composer
On this page you can find all versions of the php package softsmart/simple-nonce. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download softsmart/simple-nonce
More information about softsmart/simple-nonce
Files in softsmart/simple-nonce
Package simple-nonce
Short Description Simple nonce implementation
License GPL-3.0-only
Homepage https://softsmart.co.za/2017/01/04/php-create-installer-composer/
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package simple-nonce
SimpleNonce
A simple nonce implementation in PHP
This is a very simple nonce implementation. Uses PSR-2 and PSR-4
Structure
If any of the following are applicable to your project, then the directory structure should follow industry best practices by being named the following.
Install
Via Composer
Usage
Testing
Contributing
Please see CODE_OF_CONDUCT for details.
Credits
- John McMurray
- All Contributors
License
GNU GENERAL PUBLIC LICENSE. Please see License File for more information.
Questions
Q: Why do we need to pass the timestamp?
A: The way most nonces are implemented is that when they are created the nonce and the time out is stored in a file system or in a db, redis, etc. When the nonce is used the validity of the nonce and its time out is read from a DB.
This nonce system does not store nonces in a DB and does not store the unused nonces in the file system. The reason we don't do that is because on busy sites that could cause quite a lot of overhead. For instance, think about a busy store where you want to list many products on a page to an admin user. Each item in the list might have an edit button as well as a delete button. Each of these buttons require its own nonce. If we list 50 items per page, that's 100 nonces we're writing to a db which may never be used.
Our system rather works out the nonce on generating it and then reworks it out on verifying it, based on the action, timestamp and meta data. Because we're not prestoring, we need to pass the timestamp!
Q: If we're passing the time stamp as plain text with a link, what prevents a bad user from altering the time stamp in the URL?
A: The generateNonce function uses the time stamp as part of the nonce field. So even though a bad user can see the time stamp they can't alter it. If they try to alter it the verifyNonce function will fail.
Q: If it doesn't write to a DB how does it know that the nonce has only been used once?
A: We do write a text file. The text file is named with the nonce key. When a nonce is being verified we check that that file does not exist. If it does exist then the nonce has already been used and the nonce fails.
