防止CSRF的Ajax请求和形式没有提交按钮 [英] protecting against CSRF on ajax requests and forms without submit buttons

问题描述

我是相当新的网络安全。我想知道什么是使用了Ajax请求和形式的标记没有提交按钮（如状态更新），以保护agains CSRF的正确方法。有人能告诉我一个code样？我知道如何做正确的表单提交按钮。此外，在我的AJAX的文件夹我有以下内容的htaccess的：

I'm fairly new to web security. I was wondering what would be the correct way to use tokens on ajax requests and forms without submit buttons (ie status updates) to protect agains CSRF. Could someone show me a code sample? I know how to do it properly for forms with a submit button. Also in my ajax folder I have a htaccess with the following:

SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax
Order Deny,Allow
Deny from all
Allow from env=ajax

时有足够的安全Ajax请求，或者我应该也实现了令牌的安全性Ajax请求？

Is that enough security for ajax requests, or should i also implement token security for ajax requests?

推荐答案

所有你需要做的是产生一个秘密的（标记）在页面加载时。将它放置在页面上，并在会议上。通常情况下，我把它的形式作为隐藏字段，如果我可以，或者如果它是一个更大的非常ajaxy页面的一部分，我就会把它的值属性，如DIV包裹整个页面相关的元素。其他人会添加脚本标记与变​​量设置为秘密。

All you need to do is generate a secret (token) when the page loads. Place it on the page, and in session. Typically I put it in the form as a hidden field if I can, or if it is part of a larger very ajaxy page, I'll put it in a value attribute on a related element like the div wrapping the whole page. Others will add a script tag with a variable set to the secret.

然后，每当你做一个AJAX调用或发送的形式，包括你的秘密领域。 （Cheekysoft的答案进入更加详细地介绍如何使用原始JS做到这一点，这是可以做到大致相同与jQuery或您可能使用的任何其他框架。）匹配到后端会话值，以确保它们仍相同的（来自同一来源），你是好。

Then, whenever you make an AJAX call or send the form, you include a field for the secret. (Cheekysoft's answer goes into more detail about how to do this with raw JS, it can be done roughly the same with jQuery or any other framework you might be using.) Match it to the session value on the back end to ensure they are still the same (came from the same source), and you are good.

如果要增加安全性，再生在每个请求的秘密，并返回新的秘密连同所请求的数据。有你所有的Ajax请求更换隐藏字段或值属性的新值。这并没有真正很好地工作，如果要执行大量请求，或并发请求。说真的，生成一个每次整个页面加载应该是不够的，如果你这样做是通过HTTPS，你应该的。

If you want added security, regenerate the secret on each request and return that new secret along with the requested data. Have all your ajax requests replace that hidden field or value attribute with the new value. This doesn't really work well if you are performing lots of requests, or concurrent requests. Really, generating one each time the whole page is loaded should be enough if you are doing this over HTTPS, which you should be.

如果你不这样做，通过HTTPS，那么它真的没关系，有人坐在网吧/星巴克只是窃取会话，并重新加载页面。

If you aren't doing this over HTTPS, then it really doesn't matter, someone sitting in an internet cafe / starbucks can just steal the session and reload the page.

如果你打算做这个有很多，这是值得一试jQuery和各种插件，这将有助于做你CSRF保护。 另外，我的方法是不是唯一的方式。

If you are going to be doing this a lot, it is worth checking out jQuery and various plugins that will help do the CSRF protection for you. Also, my way isn't the only way.

这篇关于防止CSRF的Ajax请求和形式没有提交按钮的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！