PHP随机密钥验证
[英]PHP random key verification
问题描述
I am making an AJAX request to a script called return.php that will look like this: 
我向一个名为return.php的脚本发出AJAX请求,该脚本将如下所示:
http://www.example.com/return.php?type=3&filter=2
This occurs when a browsing user hits a button on example.com 当浏览用户点击example.com上的按钮时,就会发生这种情况
I want additional security measures so that this can only be requested by a user browsing my site. 我需要其他安全措施,以便只能由浏览我的网站的用户请求。 No direct type ins, etc. 没有直接输入指令等
So I was thinking to send some type of randomly generated key along with the request. 所以我在考虑随请求一起发送某种类型的随机生成的密钥。 What methodology would I use to verify at return.php that a correct key has been sent? 我将使用什么方法在return.php上验证发送了正确的密钥?
Can I generate a key and store it in a session variable that is then accessible in return.php? 是否可以生成密钥并将其存储在会话变量中,然后可以在return.php中访问它?
pseudo code: 伪代码:
if ($random_key_sent == what it should){
//go ahead and execute code
}
else{
//sorry can't help
}
And Ultimately my request would look something like: 最终,我的请求将类似于:
http://www.example.com/return.php?type=3&filter=2&key=8fu5jtugy489kgvuri09984ufjlgi (or whatever the key would be)
Bottom line I am looking for a way to generate some type of added security so that return.php is only being used when it should be, along the similar lines of using API keys etc. 最重要的是,我正在寻找一种生成某种类型的增强安全性的方法,以便仅在应有的情况下使用return.php,以及使用API密钥等类似的方法。
3 个解决方案
解决方案1
1 2013-06-18 21:17:40
If you are worried about "direct type-ins" but still need to use GET requests, you can check the request headers in PHP to only allow Ajax requests using $_SERVER['HTTP_X_REQUESTED_WITH'] . 如果您担心“直接键入”但仍需要使用GET请求,则可以使用$_SERVER['HTTP_X_REQUESTED_WITH']检查PHP中的请求标头,以仅允许Ajax请求。
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
// Do what you need to do
} else {
die("Ajax Only");
}
(Modified from David Walsh ) (由David Walsh修改)
解决方案2
1 已采纳 2013-06-18 21:34:57
You're looking for cross-site request forgery (CSRF or XSRF) protection. 您正在寻找跨站点请求伪造 (CSRF或XSRF)保护。
Typically, you generate and save an anti-CSRF token in the user's session data, and put it in a hidden form field (using either GET or POST), or for normal links you place the token in a query parameter. 通常,您会在用户的会话数据中生成并保存反CSRF令牌,然后将其放在隐藏的表单字段中(使用GET或POST),或者对于常规链接,请将令牌放入查询参数中。 On the server side, you check that the anti-CSRF token matches the one in the user's session data. 在服务器端,您检查反CSRF令牌是否与用户会话数据中的令牌匹配。
Some suggest that you can achieve the same level of security by simply checking the HTTP referer header. 有人建议您只需检查HTTP referer标头即可达到相同的安全级别。 That can work, but is less reliable since people can block the referer for privacy reasons. 这可以起作用,但可靠性较差,因为人们出于隐私原因可以阻止引荐。
解决方案3
-2 2013-06-18 21:13:38
Unless you're going to have a list of preset keys that your PHP code checks against and the browser can receive to then send in the URL, it would be impractical to check the key for a specific value. 除非您准备要使用PHP代码进行检查的预设密钥列表,并且浏览器可以接收然后发送URL,否则检查密钥是否为特定值是不切实际的。 You could just check if the $_GET["key"] array value is set: 您可以只检查$_GET["key"]数组值是否已设置:
if(isset($_GET["key"])){
// go ahead and execute code
}else{
// sorry can't help
}
Alternatively, you may want to consider requiring the browser to set some POST data which is sent along with the request to the webpage, but cannot be typed into the address bar. 或者,您可能需要考虑要求浏览器设置一些POST数据,该数据与请求一起发送到网页,但不能在地址栏中输入。 Then just use $_POST["key"} rather than $_GET["key"] to verify. 然后只需使用$_POST["key"}而不是$_GET["key"]进行验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.