解释在通过GET传输数据时使用令牌 [英] Explain the use of tokens in transmitting data over GET

问题描述

（Full context =对此问题的最新回应/讨论：电子邮件中的Button_to未发布）

我希望用户点击电子邮件中的链接，并能够在我的数据库中发布数据。我目前的理解是：最佳做法（根据上述问题的最新答案，以及其他我已经尝试过的答案） ）=用得到一个令牌传递到我的网站（所以可能是这样的 example.com?token=asdfaiosugkljlfkdjslfjasklf ），然后有一个脚本在我的网站采取该令牌，解析数据并将其发布。

原因标记应与GET一起使用是因为它不安全;任何人都可以看到URI，它可以被缓存/书签，因此，如果不断提交，它可能会导致数据库发生错误的POST，也就是说，我不应该这样做： example.com/:id / action 作为GET，因为它可以重复触发动作（在我的情况下，由于我的一个动作导致删除记录，所以这会很糟糕）

我不明白的是，令牌有什么不同，因为它不像每次用户打开他/她的电子邮件时一个不同的链接。即使我传递了一个令牌并且电子邮件中的链接是 example.com?token=asdfaiosugkljlfkdjslfjasklf ，那么这个链接仍然可以被添加书签/缓存/无论如何。作为我研究的一部分，我查看了另一个Web服务发送给我的电子邮件，在电子邮件中的哪个位置是一个按钮，我可以单击该邮件。事实上，每次我检查链接时，它总是一样的： www.theirsite.com/?uid=ABC 其中ABC是Bas​​e64标记。事实上，我可以反复点击它，我可以收藏并一次又一次地打开它。它看起来像是一个数据的掩码，但每次都是一样的掩码，是没有意义的。

现在，如果出于安全考虑掩码存在，我可以这样做，因为也许只有您的网站能够解码令牌。但就我而言，我只是想确保URI不会无意中导致多重重复POSTings，正如我所说会删除数据。我没有敏感的用户信息。

当然，我意识到在我的理解中可能有巨大的漏洞，所以我打开这个更聪明的人解释什么大家伙在以下方面做了些什么：

1. 是否仍然需要使用令牌传输数据（让我们说敏感数据，因为即使现在没有用，我确定我会在某个时候需要它）通过HTTP GET请求，当你需要数据POST到你的数据库？




2. 你如何确保URI只能修改数据库一次？ （是否有某种类型的第一个方法？之后用户会弹出一个消息，说他们已经执行了该操作？）

解决方案

令牌在这里有几个用途。首先，它们可用于验证您的行为是否合法来自您发送的电子邮件，而不是来自强制URL的某人。其次，令牌可用于防止意外重播或彻底的重播攻击。以下是如何操作：

当您发送一封电子邮件时，其链接如下：/ requests / 1001 / accept？token = asdf ...您实际应该是：A）以安全的方式随机生成令牌，以及B）将令牌存储到数据库中，可能还有一些额外的元数据。有关元数据的更多信息。

设计应该是：当且仅当该标记未被使用时，该请求才有效，仅限时间使用。当用户点击您的电子邮件链接时，您需要检查提供的令牌是否与您的令牌表中的某一行匹配。然后从表格中删除标记（除非您喜欢竞赛条件，请使用交易）。这可以说是实现你想要的最简单的方法 - 你不需要做其他任何事情来确保链接不会被双重跟随，并且你不能做任何事情（跟踪链接是否已经被使用或者没有被使用需要你还记得一些特定于该链接的信息，根据定义）。您在调查的电子邮件中看到的令牌以这种方式运行。

您可以向令牌添加其他元数据，例如可能合法使用它的用户的ID ， 例如。但是，这可能最终会取消您的数据库规范化，具体取决于您的其他表的设置。

请注意，这不是RESTful，因为它是mutate动作在GET请求中，但是在这种情况下，POST被高估了，并且不会给GET任何东西。在电子邮件中实现也很困难（您可以使用rails的_method参数对其进行破解，但它没有提供真正的好处）。

(Full context = latest response/discussion to this question: Button_to in email not posting)

I'd like a user to click a link in an email and be able to POST data in my database. My current understanding is:

• Best practice (per latest answer to question above, as well as other answers I've already tried) = use GET to transmit a token to my website (so might be something like example.com?token=asdfaiosugkljlfkdjslfjasklf) and then have a script on my website to take that token, parse the data, and POST it

• The reason tokens should be used with GET is because it's not secure; anyone can see the URI, it can be cached/bookmarked, and therefore, it can result in erroneous POSTs to the database if constantly submitted, i.e., I shouldn't do something like example.com/:id/action as a GET since this can trigger the action repeatedly (which in my case, since one of my actions results in deletion of records, that would be bad)

What I don't understand is how a token is any different, because it's not like every time the user opens his/her email, s/he sees a different link. Even if I passed a token and the link in the email were example.com?token=asdfaiosugkljlfkdjslfjasklf, well this link could still be bookmarked/cached/whatever. As part of my research, I looked at emails that another web service sends me where in the email is a button I can click that POSTs something. Indeed each time I check the link, it's always the same: www.theirsite.com/?uid=ABC where ABC is the Base64 token. And indeed I can click on it repeatedly, I can bookmark it and open it again and again. It just seems like a mask over data, but the same mask every single time, is pointless.

Now, if the mask is there for security's sake, I kind of get that because perhaps only your website is able to decode the token. But in my case, I just want to ensure that the URI doesn't inadvertently result in muliple repeat POSTings which, as I said would delete data. I don't have sensitive user information.

Of course, I realize that there are probably HUGE holes in my understanding so am opening this up for smarter people to explain what the "big guys" do in terms of:

1. Is it still necessary to use a token to transmit data (let's just say sensitive data because even if not useful now, I'm sure I'll need it at some point) via HTTP GET request when you need the data to POST to your database?

2. How do you ensure that the URI is only able to modify the database once? (is there a first method of some kind? after which the user gets a pop up that says they've already performed the action?)

解决方案

Tokens serve a couple purposes here. First, they can be used to authenticate your action is legitimately coming from an email you sent, and not from someone brute-forcing a URL. Second, the token can be used to prevent accidental replays, or outright replay-attacks. Here's how:

When you send an email with a link to something like: /requests/1001/accept?token=asdf... you should actually be: A) randomly generating the token in a secure way, and B) storing the token into your database, perhaps with some additional metadata. More on the metadata in a bit.

The design should be: the request is valid if and only if the token hasn't been used, and the token is one-time use only. When the user clicks on your email link, you need to check if the provided token matches a row in your token table. THEN DELETE THE TOKEN FROM THE TABLE (unless you like race conditions, use a transaction). This is provably the simplest way to achieve what you want - you don't need to do anything else to ensure links can't be double-followed, and you can't do anything less (tracking whether a link has been used or not requires you remember some information specific to that link, by definition). The tokens you see in the emails you investigated operate in this way.

You can add other metadata to the token, such as the ID of only user that may legitimately use it, for example. But this may end up de-normalizing your database depending on how your other tables are set up.

As a side note, this isn't RESTful since it's a mutate action in a GET request, but in this case POST is overrated and doesn't give you anything over a GET. It is also difficult to implement in emails (you can hack it with rails's _method parameter, but it offers no real benefit).

这篇关于解释在通过GET传输数据时使用令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！