堆栈内存溢出
  简体   繁体   English

Codeigniter CSRF保护VS选项卡

[英]Codeigniter CSRF protection VS tabs

 原文  2015-05-29 07:16:28       php/ codeigniter/ csrf

问题描述

In the newish CodeIgniter v3, CSRF tokens are only valid once. 在新的CodeIgniter v3中,CSRF令牌仅有效一次。 As a result, I'm having some trouble dealing with multiple tabs: 因此,我在处理多个标签时遇到了一些问题:

  1. Open a tab with Form1 使用Form1打开一个选项卡
  2. Open a tab with Form2 使用Form2打开一个选项卡
  3. Submit the tab with Form 1 使用表单1提交选项卡
  4. Submit the tab with Form 2 提交表格2的标签

Step 4 will results in a CSRF error. 步骤4将导致CSRF错误。 Obviously this is not ideal... How is onemeant to solve this? 显然这不太理想......怎么解决这个问题呢?

1 个解决方案

解决方案1
 3 已采纳  2015-05-30 12:11:17

Background 背景

There is no need to regenerate the CSRF token upon each form submission. 每次表单提交时都无需重新生成CSRF令牌。 There is little security benefit - if the attacker could retrieve the token from your page then they already have won. 安全性很小 - 如果攻击者可以从您的页面中检索令牌,那么他们已经赢了。 This will enable your site to run cross-tabs without error. 这将使您的站点无错误地运行交叉表。

See this page for some background on the security aspect: Why [you shouldn't] refresh CSRF token per form request? 有关安全方面的一些背景,请参阅此页面: 为什么[您不应该]按表单请求刷新CSRF令牌? .

CodeIgniter v3 CodeIgniter v3

v3 uses a configuration item named csrf_regenerate . v3使用名为csrf_regenerate的配置项。 Set this to FALSE to prevent regeneration after each request. 将此值设置为FALSE以防止在每次请求后重新生成。

CodeIgniter v2 CodeIgniter v2

The code CodeIgniter uses is discussed in this post: CSRF Protection in CodeIgniter 2.0: A closer look . CodeIgniter使用的代码在本文中讨论: CodeIgniter 2.0中的CSRF保护:仔细看看 The relevant code is below: 相关代码如下: 

function csrf_verify()
{
    // If no POST data exists we will set the CSRF cookie
    if (count($_POST) == 0)
    {
        return $this>csrf_set_cookie();
    }

    // Do the tokens exist in both the _POST and _COOKIE arrays?
    if ( ! isset($_POST[$this->csrf_token_name]) OR
         ! isset($_COOKIE[$this->csrf_cookie_name]) )
    {
        $this->csrf_show_error();
    }

    // Do the tokens match?
    if ( $_POST[$this->csrf_token_name]
         != $_COOKIE[$this->csrf_cookie_name] )
    {
        $this->csrf_show_error();
    }

    // We kill this since we're done and we don't
    // want to polute the _POST array
    unset($_POST[$this->csrf_token_name]);

    // Re-generate CSRF Token and Cookie
    unset($_COOKIE[$this->csrf_cookie_name]);
    $this->_csrf_set_hash();
    $this->csrf_set_cookie();

    log_message('debug', "CSRF token verified ");
}

Simply remove the following code from the function: 只需从函数中删除以下代码: 

// Re-generate CSRF Token and Cookie
unset($_COOKIE[$this->csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 CSRF保护Codeigniter - CSRF protection Codeigniter Codeigniter AJAX CSRF保护 - Codeigniter AJAX CSRF protection CSRF保护Codeigniter生成随机令牌 - CSRF Protection Codeigniter generating Random token 使用CodeIgniter CSRF保护为Web应用程序创建API - Creating API for web app with CodeIgniter CSRF protection Codeigniter不接受启用CSRF保护的jQuery POST - Codeigniter not accepting jQuery POST with CSRF protection enabled Codeigniter AJAX JQuery csrf_protection星级脚本 - Codeigniter AJAX JQuery csrf_protection star rating script EXTJS CSRF保护 - EXTJS CSRF protection CSRF深度保护 - CSRF protection in depth CSRF保护在手机上失败 - CSRF protection failing on mobiles Magento CSRF保护 - Magento CSRF protection
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM