使用javascript重定向安全吗?
[英]is it safe to use javascript redirects?
问题描述
I am hoping to create an ajax sign in form, which redirects the user on sign in - this is going to check the username and password in the database, and send a true value to the client. 
我希望创建一个Ajax登录表单,该表单将重定向登录时的用户-这将检查数据库中的用户名和密码,并向客户端发送true值。
As such I want to do window.location="http://www.someplace.com/mypage.html"; 因此,我想做window.location="http://www.someplace.com/mypage.html";
Is this safe? 这样安全吗? Is there any way of users disabling javascripts redirects? 用户是否可以禁用JavaScript重定向?
4 个解决方案
解决方案1
2 已采纳 2011-01-18 12:49:42
The user can always disable anything that is javascript based. 用户始终可以禁用基于javascript的任何内容。
That said, using javascript for redirection is not in itself unsafe, and i don't see an abuse scenario, only a breakage scenario. 就是说,使用javascript进行重定向本身并不是不安全的,而且我看不到滥用情况,只是破损情况。
All in all it depends how you define safe :) 总而言之,这取决于您如何定义安全性:)
解决方案2
1 2011-01-18 12:55:18
It's not unsafe, but there are 2 alternatives about redirecting without using JS (or if someone has JS disabled): 这不是不安全的,但是有两种不使用JS(或者如果有人禁用JS的重定向)的替代方法:
1) by adding a meta tag in your head 1)通过在您的头部添加meta标签
<meta http-equiv="refresh" content="0;url=http://www.someplace.com/mypage.htm/" />
2) better, by a server side redirect ie (php) 2)更好,通过服务器端重定向即(PHP)
<?php
header( 'Location: http://www.someplace.com/mypage.htm' ) ;
?>
Edit: As I replied to @Spudley comment, these are 2 other methods to redirect to a page without JS enabled.. in your case @Ashley Ward I think it's the correct way to redirect a page for an ajax-form :) 编辑:当我回复@Spudley注释时,这是另外两种在未启用JS的情况下重定向到页面的方法。.在您的情况下,@ Ashley Ward我认为这是将页面重定向为ajax形式的正确方法:)
Ps a form should work both in ajax and non-ajax way ;) ..remember what other users correctly said: JS can be disabled ps表单应该同时以ajax和非ajax方式工作;)..记住其他用户正确说的话:可以禁用JS
解决方案3
1 2011-01-18 12:57:00
In addition to Martin good answer, don't forget to protect yourself against SQL injection attacks: user can very easily access your target page by himself and send "fake" AJAX requests with malicious stuff like 1' OR 1=1 as the username or password. 除了Martin的好答案之外,别忘了保护自己免受SQL注入攻击:用户可以非常轻松地自己访问目标页面,并发送带有诸如1' OR 1=1类的恶意内容的“假” AJAX请求作为用户名或密码。
Unlike what you might think, AJAX requests are not totally hidden from the user and can be easily detected and manipulated using simple tools available for anyone. 与您可能想到的不同,AJAX请求并未完全对用户隐藏,并且可以使用任何人都可以使用的简单工具轻松地检测和处理AJAX请求。
解决方案4
0 2011-01-18 13:04:32
Remember that Javascript is all run in the client browser. 请记住,Javascript都是在客户端浏览器中运行的。 The user can see the code, and with the right tools can edit it in-situ. 用户可以看到该代码,并使用正确的工具可以对其进行原位编辑。
Therefore nothing is "safe" when you're running in Javascript in the browser. 因此,当您在浏览器中使用Javascript运行时, 没有什么是“安全的”。 You should always assume that a malicious user can and will modify your ajax calls, tweak your variables and change the flow of your javascript code. 您应该始终假设恶意用户可以并且将修改ajax调用,调整变量并更改JavaScript代码流。
However, as long as you've catered for that by making your server-side code secure (ie preventing SQL injection attacks, etc), then you don't need to worry too much about that. 但是,只要您通过使服务器端代码安全(例如,防止SQL注入攻击等)来满足此要求,就不必为此担心太多。 A hacker will be trying to break your site, so there's no need for you to worry about whether things will work for him. 黑客将试图破坏您的网站,因此您无需担心事情是否对他有用。
For the purposes of a normal user simply running the code normally, then the answer is Yes: your JS redirect should be perfectly safe. 对于普通用户而言,只需正常运行代码即可,答案是肯定的:您的JS重定向应该是绝对安全的。 The user can switch off Javascript, but of course the Ajax event wouldn't have worked either if the JS was disabled. 用户可以关闭Javascript,但是如果禁用了JS,那么当然Ajax事件也不起作用。
If you've written your ajax code to have a fall-back for non-JS users, then you may want to provide a fall-back for the redirect as well, but in all probability your ajax fall-back would load straight to the redirected page anyway. 如果您编写了ajax代码以为非JS用户提供后备,那么您可能还希望为重定向提供一个后备,但很可能您的ajax后备会直接加载到重定向页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.