CSRF保护:我们是否必须为每种表格生成令牌? [英] CSRF protection: do we have to generate a token for every form?
问题描述
我们是否必须为网站中的每种表单生成令牌?我的意思是,每次为每种请求的表单生成不同的令牌?如果不是,为什么?
Do we have to generate a token, for every form in a website? I mean, every-time to generate different token for every requested form? If not, why?
推荐答案
通常,只需每个会话一个令牌,即所谓的每个会话令牌:
In general, it suffices to have just one token per session, a so called per-session token:
通常,开发人员只需为当前会话生成一次此令牌。最初生成此令牌后,该值将存储在会话中,并用于随后的每个请求,直到会话终止。
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires.
如果您想进一步增强安全性,则可以为每个表单/ URL使用一个令牌(每个表单令牌)来减轻一个令牌泄漏时的影响(例如 XSS ),因为攻击者只能成功攻击该特定表单/
If you want to further enhance the security, you can use one token per each form/URL (per-form token) to mitigate the impact when one token leaks (e. g. XSS) as an attacker would only be able to successfully attack that specific form/URL.
但是使用每个请求令牌,我e。令牌随每个请求而变化,而是削减了网站的可用性,因为它限制了并行浏览:
But using per-request tokens, i. e. tokens that change with each request, rather cuts the usability of the website as it restricts parallel browsing:
进一步增强了该提议的安全性在设计上,请考虑为每个请求随机分配CSRF令牌[…]。实施此方法会导致生成每个请求令牌,而不是每个会话令牌。但是请注意,这可能会导致可用性问题。例如,由于前一页可能包含不再有效的令牌,因此通常会阻碍后退按钮浏览器的功能。与上一页的交互将在服务器上导致CSRF误报安全事件。
To further enhance the security of this proposed design, consider randomizing the CSRF token […] for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. Note, however, that this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server.
因此,我建议您使用以下两种方式之一:会话令牌或形式令牌。
So I recommend you to use either per-session tokens or per-form tokens.
这篇关于CSRF保护:我们是否必须为每种表格生成令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
