[英]REST/stateless: CSRF attacks and remembering logged in user
I am using Spring-MVC and AngularJS to create my web application, but I suppose that this question can apply for any technology, since it is more of a conceptual question rather than a specific technology question. 我正在使用Spring-MVC和AngularJS创建我的Web应用程序,但是我想这个问题可以适用于任何技术,因为它更多是概念性问题,而不是特定的技术问题。
I am struggling with understanding a few things regarding CSRF attacks as well as authenticating users on my web application. 我正在努力了解有关CSRF攻击的一些知识,并在我的Web应用程序上对用户进行身份验证。 Hence, I have the following questions: 因此,我有以下问题:
Have the clients generate and send the same unique secret value in both a Cookie and a custom HTTP header. 让客户端在Cookie和自定义HTTP标头中生成并发送相同的唯一秘密值。 Considering a website is only allowed to read/write a Cookie for its own domain, only the real site can send the same value in both headers. 考虑到仅允许网站为其自己的域读取/写入Cookie,因此只有真实网站才能在两个标头中发送相同的值。 Using this approach all your server has to do is check if both values are equal, on a stateless per request basis! 使用这种方法,您的服务器要做的就是在每个请求无状态的基础上检查两个值是否相等!
Now, I don't understand what the purpose is of generating these secret values. 现在,我不明白生成这些秘密值的目的是什么。 I mean, what is the purpose of having these 2 secret values and compare them on the server? 我的意思是,拥有这两个秘密值并在服务器上进行比较的目的是什么? Can't an attacker just put 2 identical values inside a fake cookie and http header and still submits the form? 攻击者不能只是将2个相同的值放在伪造的cookie和http标头中,然后仍然提交表单吗?
Now, I don't understand what the purpose is of generating these secret values. 现在,我不明白生成这些秘密值的目的是什么。 I mean, what is the purpose of having these 2 secret values and compare them on the server? 我的意思是,拥有这两个秘密值并在服务器上进行比较的目的是什么? Can't an attacker just put 2 identical values inside a fake cookie and http header and still submits the form? 攻击者不能只是将2个相同的值放在伪造的cookie和http标头中,然后仍然提交表单吗?
You are right, an attacker could add a HTTP header, but he could only set a cookie for his own domain (origin). 没错,攻击者可以添加HTTP标头,但他只能为自己的域(来源)设置Cookie。 The browser will not send a cookie to another domain: 浏览器不会将cookie发送到另一个域:
Considering a website is only allowed to read/write a Cookie for its own domain, only the real site can send the same value in both headers. 考虑到仅允许网站为其自己的域读取/写入Cookie,因此只有真实网站才能在两个标头中发送相同的值。
The server will receive only the HTTP request header from an attacker, not the cookie. 服务器将仅接收来自攻击者的HTTP请求标头,而不接收Cookie。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.