保护AJAX应用程式的最佳方式 [英] Best way to secure an AJAX app
问题描述
我目前正在进行基于AJAX的网站的身份验证,并且想知道是否有人对这类事情的最佳做法有任何建议。
I am currently working on the authentication of an AJAX based site, and was wondering if anybody had any reccomendations on best practices for this sort of thing.
我的原始方法是基于cookie的系统。基本上我设置了一个带有验证码的cookie,每个数据访问都改变了cookie。同样,每当有一个失败的认证时,该用户的所有会话都被去认证,以防止劫持者。要劫持会话,有人必须离开自己登录,而黑客需要发送最后一次Cookie更新来欺骗会话。
My original approach was a cookie based system. Essentially I set a cookie with an auth code, and every data access changed the cookie. As well, whenever there was a failed authentication, all sessions by that user were de-authenticated, to keep hijackers out. To hijack a session, somebody would have to leave themselves logged in, and a hacker would need to have the very last cookie update sent to spoof a session.
Unfortunatley对AJAX的性质,当快速做出多个请求时,他们可能会回来失序,设置cookie错误,并打破会话,所以我需要重新实现。
Unfortunatley, due to the nature of AJAX, when making multiple requests quickly, they might come back out of order, setting the cookie wrong, and breaking the session, so I need to reimplement.
我的想法是:
- 一种不太安全的基于会话的方法
- 使用经过ssl身份验证的iFrame来执行安全事务(我只是假定这是可能的,只是有一点jquery黑客)
问题不是数据传输,唯一的担心是有人可能控制的帐户不是他们的。
The issue is not the data being transferred, the only concern is that somebody might get control over an account that is not theirs.
一个不太安全的基于会话的方法
A decidedly less secure session based method
推荐答案
id并传递给每个请求,以确保请求来自有效的用户(请参阅此幻灯片)。从 CSRF 角度来看,这是相当安全的,但如果有人嗅探数据,则可能会被拦截。根据您的需要,ssl总是最安全的方法。
A common solution is to hash the user's session id and pass that in with every request to ensure the request is coming from a valid user (see this slideshow). This is reasonably secure from a CSRF perspective, but if someone was sniffing the data it could be intercepted. Depending on your needs, ssl is always going to be the most secure method.
这篇关于保护AJAX应用程式的最佳方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
