每个请求的CSRF令牌 [英] Csrf token for each request
问题描述
任何人都可以帮助如何为每个请求生成csrf令牌以及如何对其进行验证.
Can any one help how to generate csrf token for each request and how to validate it.
推荐答案
通常,您必须从表单模板中getToken在表单中包含隐藏的输入,然后在接收Servlet中确保您正在获取POST请求和isValid.
In general you will have to getToken from your form template to include a hidden input in the form, and then in the receiving Servlet ensure that you are getting a POST request and isValid.
如何在整个应用程序中始终保持一致,将取决于您所使用的框架代码.如果通过动作类"指的是Struts 2,则该框架已经具有自己的CSRF机制,通常您会希望重用该机制.
How you tie that up consistently across your app will depend on what framework code you're using. If by "Action Class" you're referring to Struts 2, then that framework already has its own TokenSessionInterceptor mechanism for CSRF, which generally you would want to re-use.
现在要求是每个请求
Now requirement is for each request
如果您是说有人要求在每次页面加载时更改CSRF令牌,则您应反对该请求,因为它是虚假的.
If you mean that someone is asking for the CSRF token to be changed on every page load, you should fight that request because it is bogus.
笔试测试报告中经常会发现"CSRF令牌不会在每个请求上都无效",但是对它进行修复会降低您的应用程序的可用性.如果您的旧令牌在每个新页面上均无效,那么您将无法同时在两个选项卡中使用不同的页面,或者无法导航回页面然后提交表单.
"CSRF token isn't invalidated on every request" is a common filler-finding on pen test reports but fixing it will make your app much less usable. If your old token is invalidated on each new page then you won't be able to use different pages in two tabs simultaneously, or navigate back a page and then submit a form.
应该使CSRF令牌无效(并发行新令牌)的同时,您使会话无效:在任何特权级别更改时.最明显的是,当用户成功登录后,您应该丢弃旧会话以及其中的旧CSRF令牌,并用新令牌替换它们以防止会话固定攻击.
When you should be invalidating CSRF token (and issuing a new one) is at the same time you invalidate your session: on any privilege level change. Most obviously, when the user logs in successfully you should throw away the old session, and the old CSRF token inside it, and replaced them with new tokens to prevent session fixation attacks.
但是,如果超出此范围,则会牺牲可用性,而不会获得安全性.
But going further than that sacrifices usability, for no gain in security.
这篇关于每个请求的CSRF令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
