在PHP中使用随机数作为安全解决方案 [英] Using a nonce as a security solution in PHP

问题描述

我目前在使用随机数作为PHP中的安全解决方案时遇到问题

I am currently having an issue with using a nonce as a security solution in PHP

我读了这篇关于 如何检查请求是来自同一服务器还是来自其他服务器?

关于使用隐藏的输入表单字段对随机值进行哈希处理，并同时将该随机值存储到与用户相对应的会话中. 提交表单后，请检查隐藏字段的值是否与会话中存储的字段相同. (我认为这有问题)

about using an hidden input form field to hash a random value and At the same time, store that random value into the session that correspond to the user. When the form is submitted, check that the hidden field has the same value as the one that's stored in session. (I think am having a problem with this)

示例

<?
$_SESSION['formhash'] = md5('any value to be hashed');
?>
<input type="hidden" name="hashed" id="hashed" value="<?php echo $_SESSION['formhash']; ?>" />

拥有Mozilla Firebug并检查元素的用户仍会找出我的隐藏字段，然后将其复制.然后创建他/她自己的表单，然后将其发布到我的网址中，登录名仍然会被绕过.

A user having an Mozilla Firebug and inspecting the element will still find out my hidden field and then copy it. And then create his/her own form then post it to my url and the Login will still be Bypassed.

显示示例的图像

还有其他更安全的方法吗? 任何帮助将不胜感激，谢谢！

Is there any more secure way to do this ? Any help will be appreciated thanks !

推荐答案

最重要的是，您不能阻止用户在提交表单之前操纵表单数据.解决方案要做的是确认表单数据来自发送给它的用户.

The bottom line is that you cannot prevent a user from manipulating the form data prior to submitting the form. What your solution does is confirms that the form data is coming from the user you sent it to.

无论用户是否登录"，每次新访问者访问您的网站时，您都可能会开始一个会话.这意味着您可以在每次发送表单时存储哈希值，并且从理论上讲，您应该能够将返回的表单数据上的哈希值与会话中的哈希值相关联(就像您的代码一样).

Regardless of whether or not a user is "logged in", you will probably start a session each time a new visitor hits your site. This means you can store the hash value each time you send them a form and you should, in theory, be able to associate the hash value on the returned form data with the hash value in the session (just like your code is doing).

有了这些知识，我们可以考虑以下情形:

Armed with that knowledge, we can consider the following scenarios:

1. 典型的用例是用户提交表单而不修改数据.您的方法将使您确认该用户已发布该表单.您的验证码应确认POST数据是可接受的.

1. The typical use case is that a user submits a form without modifying the data. Your approach will allow you to confirm that the form has been posted by that very user. Your validation code should confirm that the POST data is acceptable.

如果用户修改并提交了表单数据，则您的方法将允许您确认该用户已发布该表单，但不是确认该表单已被弄乱.这就是为什么您需要非常非常仔细地验证表单的原因.

If a user modifies the form data and submits it, your approach will allow you to confirm that the form has been posted by that user, but not that the form has been messed with. This is why you need to validate forms very, very carefully.

如果用户抓取了实际发送给他人的表单并发布(修改或未修改)，则系统将允许您确认该表单是否不是来自用户它最初发送给您，您应该拒绝它.

If a user grabs a form that was actually sent to someone else and posts it - modified or not - your system will allow you to confirm that the form did not come from the user that it was originally sent to and you should reject it.

方案3是所谓的CSRF攻击，您的解决方案是针对这种攻击的标准防御措施.

Scenario 3 is what is known as a CSRF attack and your solution is the standard defense against this attack.

PS正如@cHao所说，您应该为生成的每种表单重新生成哈希.

PS As @cHao says, you should regenerate the hash for every form you generate.

这篇关于在PHP中使用随机数作为安全解决方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！