CSRF令牌在新的Tab和浏览器窗口 [英] CSRF Token in new Tab and browser Window
问题描述
我已经通过以下方式在我的nodejs服务器上实现了CSRF攻击防御:
登录时的用户接收到CSRF令牌和cookie(存储在cookie中的基于JWT的令牌)。 CSRF令牌是客户端使用 $。ajaxSetup 发送的所有未来请求头的一部分。
I have implemented CSRF attack prevention on my nodejs server in the following way -
User on login receives a CSRF token and a cookie (JWT based token stored in a cookie). The CSRF token is made a part of all future request headers sent from the client using $.ajaxSetup.
每当用户发出请求(GET或POST)时,我都会比较由cookie发送的cookie和csrf令牌客户端与我的服务器上存储的应用程序和应用程序工作正常。
Whenever a request is made (GET or POST) by the user, I compare the cookie and csrf token (in the header) sent by the client with the stored ones on my server and the application works fine.
但是,当登录用户打开新标签页或新浏览器窗口,客户端有cookie,但在其请求头中没有CSRF令牌。所以服务器认为这是一个CSRF攻击并阻塞请求!
However, when a logged-in user opens a new tab or a new browser window, client has the cookie but does not have the CSRF token in its request headers. So the server considers this as a CSRF attack and blocks the request!
我的问题是 - 在不损害CSRF安全性的情况下,
My question is - Without compromising on CSRF security, how can I have the same session running on multiple browser tabs and windows without having the user to login multiple times?
推荐答案
我决定使用 x-requested-with 头。默认情况下,此标头是jquery中所有 AJAX 请求的一部分。
更多详情 -
X-Requested-With标头的要点是什么?
http://security.stackexchange.com/questions/107906/alternative-to-anti-csrf-tokens-for-ajax-request-same-origin -policy
这允许跨选项卡,跨窗口浏览,其中cookie用于用户身份验证, x请求 - 与标题以防止CSRF攻击。
I decided to go with x-requested-with header. This header is a part of all AJAX requests in jquery by default.
More details -
What's the point of the X-Requested-With header?
http://security.stackexchange.com/questions/107906/alternative-to-anti-csrf-tokens-for-ajax-request-same-origin-policy
This allows cross tab, cross window browsing where a cookie is used for user authentication and x-requested-with header is checked to prevent CSRF attack.
这篇关于CSRF令牌在新的Tab和浏览器窗口的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
