堆栈内存溢出
  简体   繁体   English

何时需要使用 Token 保护 Forms(CSRF 攻击)?

[英]When its Necessary to Protect Forms with Token (CSRF attacks)?

 原文  2011-05-25 18:17:13       php/ token/ csrf

问题描述

As much as I understand, web developer should create token and put it in hidden field of form to prevent CSRF attacks.据我了解,web 开发人员应该创建令牌并将其放在表单的隐藏字段中以防止 CSRF 攻击。 Also, he should save the same token in a session and then, when form is submitted - check that tokens are equal.此外,他应该将相同的令牌保存在 session 中,然后在提交表单时检查令牌是否相等。

I came to question... is it necessary to do this technique for all forms?我开始质疑......是否有必要为所有 forms 执行此技术? I mean, imagine form that is created to sign-in.我的意思是,想象一下为登录而创建的表单。 I can't see any harm done to site and/or user if there is no CSRF protection, because user have no privileges (like he would have if he would be signed-in).如果没有 CSRF 保护,我看不到对站点和/或用户造成的任何伤害,因为用户没有特权(就像他登录时一样)。 The same goes for sign-up... Am I right?注册也是如此……我说的对吗?

PS If I'm wrong, please explain me the concept. PS如果我错了,请解释一下这个概念。

2 个解决方案

解决方案1
 6  2011-05-25 18:32:19

The danger that CSRF tries to prevent is when you have the following situation: CSRF 试图防止的危险是当您遇到以下情况时:

  1. The user has signed-in or whatever, and has a certain level of authority用户已登录或其他,并具有一定级别的权限
  2. The bad guy exploits that authority without the user's permission坏人在未经用户许可的情况下利用该权限

Sometimes this is by tricking the user into making an HTTP request without knowing it, for example in an image's source attribute.有时这是通过诱使用户在不知情的情况下发出 HTTP 请求,例如在图像的源属性中。

The forms you want to protect are the forms that require this authority.您要保护的 forms 是需要此权限的 forms。

On the crazy, off-chance that this didn't actually make sense, Chris Shiflett has an awesome article on CSRF (which you may very well have already read:/)疯狂的,偶然的机会,这实际上没有意义, Chris Shiflett 有一篇关于 CSRF 的很棒的文章(你很可能已经读过:/)

解决方案2
 5 已采纳  2011-05-25 18:29:50

Generally speaking, you want to protect your form anytime its submission will result in a change of content/state;一般来说,您希望在提交会导致内容/状态更改的任何时候保护您的表单; be it adding it, removing it, editing it or sharing it with an external source ("share on xyz.").无论是添加、删除、编辑还是与外部资源共享(“在 xyz 上共享。”)。

An exemple of forms you wouldn't need to protect is a search box, since it doesn't result in any change of content.您不需要保护的 forms 示例是搜索框,因为它不会导致任何内容更改。

If you're unsure, any form which will result in something being saved/deleted (whether it's on your site or not) should be protected.如果您不确定,任何会导致某些内容被保存/删除的表格(无论它是否在您的网站上)都应该受到保护。

And if you are really unsure just add the token, doesn't cost anything to be safe.如果您真的不确定只需添加令牌,就不会花费任何安全性。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 这如何防止 csrf 攻击? - how does this protect against csrf attacks? 登录表单是否需要针对 CSRF 攻击的令牌? - Do login forms need tokens against CSRF attacks? 一个令牌与多个令牌以防止CSRF攻击 - One token vs. multiple tokens to prevent CSRF attacks 将URL中的令牌安全放置以防止PHP应用程序中的CSRF攻击? - is putting token in URL secure to prevent CSRF attacks in PHP applications? PHP | 防止 CSRF 攻击 - PHP | prevent CSRF attacks CSRF 令牌在本地主机上始终无效 - Symfony 4 表单 - CSRF token is always invalid on localhost - Symfony 4 forms CSRF表格-您可以更改令牌吗? - CSRF Forms - You can change the token? CSRF Token添加到PHP表单中的简单方法 - CSRF Token simple way to add to forms in PHP 处理时的CSRF令牌验证 - CSRF Token validation when processing 如何使用表单令牌在一页中验证多个表单以防止CSRF攻击? - How can validate multiple form In one page using form token to prevent CSRF Attacks?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM