如何阻止用户伪造请求?或者如何检测虚假请求? [英] How to block an user from faking requests? Or how to detect fake requests?
问题描述
假设您有一个包含单个按钮的网站。
Let's suppose that you have a website that contains a single button.
按下此按钮时,会向服务器发送ajax请求 - 该服务器接收请求并在其数据库的内部计数器中添加1.
When this button is pushed, an ajax request is sent to the server - who receives the request and adds 1 in an internal counter on its database.
用户可以复制整个请求(及其标题)并创建一个脚本来发送无限请求以重载服务器(和计数器混乱)。
An user could copy the entire request (and its headers) and create a script to send infinite requests to overload the server (and mess with the counter).
我试图避免:
- 录制用户IP
- 使用Captcha
我在后面使用php -结束。有没有办法防止这种情况?有没有办法发送隐形请求?
I'm using php in my back-end. Is there any way to prevent this situation? Is there some way to send an "invisible" request?
推荐答案
您的问题被称为跨站点请求伪造。
Your problem is called "cross site request forgery".
解决此问题的一个好方法是在调用带有按钮的页面时生成随机字符串,将其写入用户会话和生成的页面,以及按下按钮一起发送(例如在GET请求中)。
A good way to solve this problem is to generate a random string when the page with the button on it is called, write it into the users session and into the generated page, and send it together with your button press (for example in a GET request).
在后端,检查提交的字符串是否与用户会话中的字符串匹配,然后从会话中删除字符串。只有当两个字符串匹配且不为空时才会继续。
On the backend side you check if the submitted string matches with the string in the users session and then delete the string from the session. Only proceed if both strings matched and weren't empty.
这样每个请求URL只有一次有效,并且仅对最初打开该页面的用户有效。按钮就可以了。
This way every request URL is only valid one time and only valid for the user who initially opened the page with the button on it.
这篇关于如何阻止用户伪造请求?或者如何检测虚假请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
