CSRF 保护:我们是否必须为每个表单生成一个令牌? [英] CSRF protection: do we have to generate a token for every form?
问题描述
我们是否必须为网站中的每个表单生成一个令牌?我的意思是,每次都为每个请求的表单生成不同的令牌?如果没有,为什么?
Do we have to generate a token, for every form in a website? I mean, every-time to generate different token for every requested form? If not, why?
推荐答案
一般来说,只需 每个会话一个令牌,所谓的每会话令牌:
In general, it suffices to have just one token per session, a so called per-session token:
一般来说,开发者只需要为当前会话生成一次这个令牌.初始生成此令牌后,该值将存储在会话中,并用于每个后续请求,直到会话过期.
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires.
如果您想进一步增强安全性,您可以为每个表单/URL 使用一个令牌(每个表单令牌)以减轻一个令牌泄漏时的影响(例如
If you want to further enhance the security, you can use one token per each form/URL (per-form token) to mitigate the impact when one token leaks (e. g. XSS) as an attacker would only be able to successfully attack that specific form/URL.
但是使用每个请求的令牌,我.e.随着每个请求而变化的令牌,反而会降低网站的可用性,因为它限制了并行浏览:
But using per-request tokens, i. e. tokens that change with each request, rather cuts the usability of the website as it restricts parallel browsing:
为了进一步增强此提议设计的安全性,请考虑为每个请求随机化 CSRF 令牌 [...].实现这种方法会生成每个请求的令牌,而不是每个会话的令牌.但是请注意,这可能会导致可用性问题.例如,后退"按钮浏览器功能经常受到阻碍,因为前一页可能包含不再有效的令牌.与上一页的交互将导致服务器上的 CSRF 误报安全事件.
To further enhance the security of this proposed design, consider randomizing the CSRF token […] for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. Note, however, that this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server.
因此我建议您使用每个会话令牌或每个表单令牌.
So I recommend you to use either per-session tokens or per-form tokens.
这篇关于CSRF 保护:我们是否必须为每个表单生成一个令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
