CSRF保护:为每个请求发送CSRF令牌的方法
[英]CSRF Protection: Methods to send CSRF token for each request
问题描述
My initial code generated tokens for the requests that could alter state of my database, like CRUD operations. 
我的初始代码为可能会更改数据库状态的请求生成令牌,例如CRUD操作。 The token was generated for each request. 令牌是为每个请求生成的。 Sent to client side in JSON-format along with other data and I expected this token to be returned with the request and changed it after completion of the request. 以JSON格式与其他数据一起发送到客户端,我希望此令牌与请求一起返回,并在请求完成后进行更改。 But, as I implemented it to only parts of my code (CRUD operations), I was told to redo it and make it web-app wide. 但是,当我仅将其实现到代码的一部分(CRUD操作)时,被告知要重做并将其扩展到整个Web应用程序。 I think the best way to do this is with filters. 我认为最好的方法是使用过滤器。
My problem is, how do I make the client send "the token" for each request? 我的问题是,如何使客户端为每个请求发送“令牌”? Do I set it in cookies? 是否将其设置在Cookie中? What are my options? 我有什么选择? Please advice. 请指教。
1 个解决方案
解决方案1
0 2012-11-16 08:33:32
best way is , all links should be GET request, and within get requests no modification should be made to application state. 最好的方法是,所有链接都应该是GET请求,并且在get请求中,不应对应用程序状态进行任何修改。 So for GET requests there will be no need for CSRF tokens. 因此,对于GET请求,将不需要CSRF令牌。
For POST request s which make modifications in application state you have to generate, csrf hidden fields in your forms and validate the token in server during form submit. 对于必须在应用程序状态中进行修改的POST请求,您必须在表单提交期间生成,隐藏表单中的csrf字段并验证服务器中的令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.