堆栈内存溢出
  简体   繁体   English

验证FORM POST的来源以确保它来自同一服务器/应用程序

[英]Validate Origin of FORM POST to ensure it came from same server/app

 原文  2009-07-23 15:51:27       http/ csrf

问题描述

I want find a platform/language agnostic solution to ensuring the origin of a FORM POST is from an expected source. 我想找到一个平台/语言无关的解决方案,以确保FORM POST的来源来自预期的来源。 Ie Page1.aspx posting to Page2.php within the same web site. 即Page1.aspx在同一网站内发布到Page2.php。

Specifically what I am attempting to do here is to prevent request forgery. 具体来说,我在这里尝试做的是防止请求伪造。

3 个解决方案

解决方案1
 8 已采纳  2009-07-23 15:53:35

Use a hidden field in your form, which contains a token your app generated. 在表单中使用隐藏字段,其中包含应用生成的令牌。 Store the token in the user session. 将令牌存储在用户会话中。 When the form is submitted, your app will check that the value of the hidden field is identical to the value stored in the user session. 提交表单后,您的应用程序将检查隐藏字段的值是否与存储在用户会话中的值相同。

If it is identical, then you know the submitted form comes from where it is expected to come. 如果它是相同的,那么您知道提交的表单来自预期的来源。

解决方案2
 1  2010-07-18 03:58:56

Old Thread, but might still be useful. 旧线程,但可能仍然有用。

If you do not have session info set (best option) then you can include a hidden field with an encrypted timestamp then compare it (after de-crypt) to the current time on the process end to make sure it is relatively close and thus as recent as you deem necessary. 如果您没有设置会话信息(最佳选项),那么您可以包含一个带有加密时间戳的隐藏字段,然后将其(在解密后)与流程端的当前时间进行比较,以确保它相对接近,从而最近你认为必要的。

解决方案3
 0  2009-07-23 15:57:49

You could include into the form a hidden field which would be the SHA1Hash("some-secret" + Remote_IP + PerSessionSecret). 您可以在表单中包含一个隐藏字段,即SHA1Hash(“some-secret”+ Remote_IP + PerSessionSecret)。

The PerSessionSecret is something you autogenerate in the beginning of the session. PerSessionSecret是您在会话开始时自动生成的内容。 "some-secret" is a global secret value - which will help a little bit in case the randomly generated PerSessionSecret turns out not to be very random enough. “some-secret”是一个全局秘密值 - 如果随机生成的PerSessionSecret结果不够随机,这将有所帮助。

Then do the same calculation upon the form submission and you know it's most probably submitted from the same client that it was sent to. 然后在表单提交时进行相同的计算,您知道它最有可能是从发送到的同一客户端提交的。 (Of course, if you have multiple clients behind the single address, like a proxy or a NAT, you can not distinguish between them reliably). (当然,如果您在单个地址后面有多个客户端,例如代理或NAT,则无法可靠地区分它们)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何确保HTTP上传来自可靠的可执行文件 - How to ensure HTTP upload came from authentic executable 如何确保POST数据来自iPhone应用程序或设备? - How to ensure POST data is coming from iPhone app or device? CloudFront缓存 - 如何确保在到期后从S3源服务器刷新CF? - CloudFront caching - How to ensure CF refreshes from S3 origin server after expiry? 从应用程序1到不同服务器中的应用程序2的Java HTTP / HTTPS发布 - Java HTTP/HTTPS post from app 1 to app 2 in different server 如何在同一服务器内直接从一个网站发布到另一个网站 - How to POST Directly From One Website to Another Within the Same Server 使用JavaScript在相同的来源/域上发布数据(安全风险? - Post data using javascript on same origin/domain (Security Risks? 如何使android的http发布到Google App Engine服务器? - How to make http post from android to google app engine server? 来自原始服务器的Akamai Pull CDN重定向 - Akamai Pull CDN Redirect from Origin Server 邮寄形式的数据顺序是否与网络表单中的相同? - Will data order in post form be the same to it in web form? 服务器上的 Angular Post Reactive Form - Angular Post Reactive Form on server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM