需要CSRF代币吗? [英] CSRF Token Needed?
问题描述
好吧,我仍然想把它们包裹住,并且..相信我,我已经读了很多东西,并且认为我理解,但我可能不知道...
Ok, still trying to wrap my head around what they are, and needed for ..believe me I've read plenty on it and think I understand but I probably don't ...
我能得到的最接近的结果是,当您在网站上以任何形式登录页面时,绝对需要它们。
The closest I can get is that they're definitely needed when you have log-in pages in any form on your site ...
我的问题是,当您出于任何原因拥有基本的联系表和/或填写表时……这些页面是否需要CSRF令牌?
My question is when you have basic contact form and/or fill-in form for any reason ... do you need CSRF tokens for those pages?
推荐答案
CSRF令牌不是绝对需要的 (例如,没有它们的表单也可以使用)但在将任何数据从一个网页提交到另一网页/脚本时,它们是一个非常好的主意。 信任 的方式几乎很少,任何第2页接收的数据都来自第1页(请参见下面的插图)。隔离中的每个页面都不知道用户以前在哪个页面上,即使是旨在暗示这一点的内容,例如 $ _ SERVER ['HTTP_REFERER'] 也很容易
CSRF tokens are not 'definitely needed' (as in, forms will work without them) but they are an extremely good idea whenever submitting any data from one webpage, to another webpage/script. There is remarkably little way of trusting that any data page 2 receives came from page 1 (read illustration below). Each page in isolations has no idea what page the user was on before, and even things that are intended to hint at this such as $_SERVER['HTTP_REFERER'] can be easily manipulated by browser users.
CSRF 令牌是页面到页面的密钥,使接收页面对访问者的信任度更高来自预期的发件人页面。部署的属性还可以防止重复数据,这也是一个很大的好处,可以减少不道德的垃圾邮件和浪费的CPU周期。
CSRF tokens are a page-to-page key giving the receiving page a much higher level of trust that the visitor came from the intended sender page(s). Deployed property they also can prevent data repetition which is also a big bonus and cuts down on unscrupulous spam and wasted CPU cycles.
CSRF令牌可用于以下方面:
假设您在页面上有一个表单,该页面称为 page1.php ,并且该表单是发送联系人电子邮件,在其中填写表格然后发送,可以构建发送到的页面(page2.php),然后将联系电子邮件发送给目标收件人。
Assume you have a form on a page, the page is called page1.php and the form is a send contact email, where the form is filled in and then sent, the page it's sent to (page2.php) can build and then send a contact email to the intended recipient.
下一步是有人可以阅读 page1.php 表单的源代码。这很容易,它告诉人们存在什么 $ _ POST 值以及将表单发送到的目标位置( page2.php )。
From this the next step is someone can read the source code of the page1.php form. this is trivially easy and tells people what $_POST values exist and the location of the destination the form is sent to (page2.php).
一个简单的用户将加载您的 page1.php ,花十分钟写一个措辞谨慎的词电子邮件,然后按 SEND 按钮并提交表单。表单将转到 page2.php ,它将其详细信息构建到发送到 receiver@email.com 的电子邮件中。
A simple user will load your page1.php , spend ten minutes writing a carefully worded email before pressing the SEND button and submitting the form. Off the form goes to the page2.php which builds its details into an email sent to receiver@email.com.
现在,如果有人从 page1.php 中获取源代码,他们可以使用简单的PHP脚本(或任何其他其他代码)处理,以将成百上千的垃圾邮件表单发送到 page2.php ,每个表单都包含正确的详细信息以生成并发送电子邮件,这可用于各种恶毒的流程,如果他们选择 page2.php ,他们可以从众多其他网站,互联网的任何其他部分甚至是整个僵尸网络发送表单。许多请求每秒,电子邮件的接收者将有一个邮箱,里面塞满了无用的表单生成的消息。
Now, if someone takes the source code from page1.php they can use a simple PHP script (or any other code) processing to send hundreds or thousands of spam forms to page2.php , each of them with the correct details to generate and send out an email, this can be used for various nafarious processes, they can send forms from numerous other websites, any other parts of the internet or even from entire botnets if they choose to -- page2.php would be inundated with many requests a second and the receiver of the emails will have a mailbox jammed full of useless form-generated messages.
输入CSRF令牌
CSRF令牌是保存的唯一密钥形式,在 page1.php 上生成时,通常会(但非排他性地)使用(可能是随机的)生成的 $ _ SESSION 值,以便在提交表单时将 $ _ POST 数据发送到 page2.php 相当可靠的检查,确认该表单是从同一网站提交的。因此,不是让整个僵尸网络将数据提交到 page2.php 并引起大量电子邮件,而是不对数据进行处理,而是仅运行从同一网站提交的页面 page2.php 脚本。
A CSRF token is a unique key that is saved in the form, upon generation on page1.php and would typically (but not exclusively) use (possibly randomly) generated $_SESSION values so that when the form is submitted, and the $_POST data is sent to page2.php this is a fairly reliable check that the form is being submitted from the same website. So instead of having whole botnets submitting data to page2.php and causing many emails, the data is not being acted upon and instead only pages submitted from the same website are being run in the page2.php script.
如果出现上述情况,您还可以跟踪错误的提交内容来自并使用其他进程/脚本来阻止/禁止其他各种僵尸网络/服务器向您的服务器提交数据。
Alternaitvely if the above situation where to occur you can also track where bad submissions are coming from and use other processes / scripts to block / ban various other botnets / servers from submitting data to your server.
上面的插图是一种保险和流程控制形式,因此您具有很强的可靠性,即通过CSRF传递的数据在 page2.php 上:
The above illustration is a form of insurance and process control so you have a strong reliablility that data that passes through a CSRF on page2.php:
if ($_SESSION['key'] === $_POST['key']){
unset($_SESSION['key']); ///prevent repetition
...
send email
}
(例如)。
此 if 语句仅使用从可靠文件中可靠提交的表单数据运行来源( page1.php )。因此,可以防止其他服务器piggy带您的脚本,从而防止对DOS攻击的残酷尝试使您的 page2.php 以及其他许多从 page1开始的积极信息过载。 php 发送了 page2.php 上正在使用的数据。
This if statement only runs with form data that's been reliably submitted from a reliable source (page1.php). Thus preventig other servers piggybacking on your scripts, preventing crass attempts at DOS attacks overloading your page2.php as well as various other positives from knowing that page1.php sent the data that is being used on page2.php.
另一方面,CSRF令牌用于
请参见上面的代码,我取消设置 $ _ SESSION CSRF值?这意味着,如果您按F5键或以其他方式刷新 page2.php 访问(将其键入浏览器或其他浏览器),它将不会再次提交真实数据。这可以帮助防止人们一次填写表格,然后像在论坛上生气的少年一样不断地重新提交表格( POST数据始终保存在页面HTTP标头中,并在页面被调用时重新提交,因此取消设置 $ _ POST PHP中的数据是没有意义的。)。
See in the code above I unset the $_SESSION CSRF value? This means that if you press F5 or otherwise refresh the page2.php visit (typing it into your browser or whatever) it will not resubmit the genuine data twice. This can help prevent people filling in a form once and then constantly resubmitting it like an angry teenager on a forum (POST data is always saved in the page HTTP header and resubmitted when the page is called, so unsetting $_POST data in PHP is pointless. ).
CSRF是一种安全机制,通过CSRF令牌测试后,CSRF意味着您可以可靠地判断发送到服务器脚本的数据来自有效的预期来源。
这篇关于需要CSRF代币吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
