如果会话 cookie 是安全的,则 CSURF 不起作用
[英]CSURF not working if the Session cookie is secure
问题描述
I am stumped as to when I set the cookie to secure, the csrf of node is not working.
我很难过当我将 cookie 设置为安全时,节点的 csrf 不起作用。
//Load Cooike Parser
app.use(cookieParser(secret));
//Load Session Store
app.use(require('express-session')({
secret:secret,
cookie:{
maxAge: 1000 * 60 * 60 * 24, // 1 day,
secure: true,
httpOnly: true
},
store: sessionStore
}));
//Load POST data parser
//Form sent should be in JSON format
app.use(bodyParser.json());
//Initiate CSRF on middleware
//set the CSRF cookie Header
app.use(csrf());
app.use(function(req,res,next){
res.cookie('XSRF-TOKEN',req.csrfToken());
next();
});
This setup is using MongoDB for storing the session data.此设置使用 MongoDB 来存储会话数据。 Reading on the express-session docs, I come across to this ...在阅读express-session文档时,我遇到了这个......
Please note that secure: true is a recommended option.
Source: npm express-session来源: npm express-session
I'm currently running the site locally, so it's not HTTPS.我目前在本地运行该站点,因此它不是 HTTPS。 I would like to know is how does secure:true relate to the not passing the csrf test?我想知道secure:true与未通过 csrf 测试有何关系?
1 个解决方案
解决方案1
3 已采纳 2016-01-04 18:23:15
Since the provided code sample does not cover the creation of the form I will assume that you correctly include the _csrf value.由于提供的代码示例不包括表单的创建,我将假设您正确地包含了_csrf值。 Or that you set the corresponding header with JavaScript.或者您使用 JavaScript 设置相应的标头。
Let's start by explaining why you shouldn't be doing res.cookie('XSRF-TOKEN',req.csrfToken());让我们首先解释为什么你不应该做res.cookie('XSRF-TOKEN',req.csrfToken()); . .
The default way that csurf module works is it generates or returns the _csrf token when you run req.csrfToken() , but it also saves this token in the session. csurf模块的默认工作方式是在您运行req.csrfToken()时生成或返回_csrf令牌,但它也会将此令牌保存在会话中。
If you want to use cookie instead of the session as the storage method you should be passing cookie: true or cookie: cookieOptions as the initialisation value to csurf instead of manually setting the cookie.如果你想使用的,而不是会话,你应该通过存储方法的cookie cookie: true或cookie: cookieOptions作为初始化值csurf手动设置cookie来代替。
This is relevant because if you don't use the intended option parameter the csurf will try to look up the token value for verification from the session object, which means your cookie setting is useless.这是相关的,因为如果您不使用预期的选项参数, csurf将尝试从会话对象中查找令牌值以进行验证,这意味着您的 cookie 设置是无用的。
Now as for the part why it fails on HTTPS.现在至于它在 HTTPS 上失败的部分。
When you set secure: true what it does is send cookies from the server to the browser with the secure flag.当您设置secure: true ,它的作用是将 cookie 从服务器发送到带有secure标志的浏览器。
As per the OWASP page :根据OWASP 页面:
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response.
To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page .
This includes the session token cookie, which is used to look up information in the sessionStore.这包括会话令牌 cookie,用于在 sessionStore 中查找信息。
So the browser does not send a session cookie to the server.因此浏览器不会向服务器发送会话 cookie。 The server creates a new empty session and because we are back to the default csurf operating method it will try to look up a token from an empty session.服务器创建一个新的空会话,因为我们回到默认的csurf操作方法,它将尝试从空会话中查找令牌。 There will not be a token so the comparison will fail.不会有令牌,因此比较将失败。
As a side note this also means that your session in general fail.作为旁注,这也意味着您的会话通常会失败。
NB!注意! As a side note if you are more interested I suggest you read the OWASP CSRF mitigation cheatsheet .作为旁注,如果您更感兴趣,我建议您阅读OWASP CSRF 缓解备忘单。 Or my book about Node.js Web Application Security , which among other things covers the CSRF and various mitigation methods implemented with Node.js.或者我的关于Node.js Web Application Security 的书,其中包括 CSRF 和使用 Node.js 实现的各种缓解方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.