CSRF代币与Nonce混淆-它们相同吗? [英] CSRF tokens vs Nonce confusion - are they the same?

问题描述

为了使我正在开发的当前应用程序更安全，我一直在阅读CSRF令牌以及Nonce.

In a attempt to make the current application I'm developing more secure, I've been reading about CSRF tokens and also Nonce.

我的问题很简单，CSRF令牌和Nonce是同一个人吗?到目前为止，我发现这两种方法都使用不同的技术来实现相同的目标，还是我误会了某些东西?

My question simply is, Are CSRF tokens and Nonce the same thing? from what I could gather so far is that both these methods have different techniques to accomplish the same goal, or am I misunderstanding something?

如果它们不同，那么您是否能很好地提供一些示例代码或将我指向一些链接，在这些链接中我可以了解有关如何在PHP应用程序中实现随机数的更多信息.

If they are different, could you be nice enough to provide some example code or point me to some links where i can learn more about how to implementing nonces in PHP apps.

谢谢！

推荐答案

Nonce通常是一些随机字符串，被添加到请求中只是为了以不可预测的方式更改用于计算签名的数据.因此，任何服务器端业务逻辑通常都不会使用nonce.

Nonce is usually some random string that is added to request just to change in unpredictable way the data, which is used to calculate the signature. So nonce usually is not used by any server-side business logic.

CSRF令牌存储在服务器上的某个位置，然后传递给客户端，需要将其返回给服务器进行比较.如果匹配-那么确定.

While CSRF-token is stored somewhere on server, passed to the client and need to be returned back to the server to compare. And if matches - then OK.

因此，在您的情况下，最好将csrf令牌保存在一个会话变量中，例如

So in your case the better will be to save csrf token once in a session variable like

$_SESSION['csrf_token'] = bin2hex(random_bytes(16));

，并在会话期间以您应用程序中所有的形式不变地使用它.

and use it unchanged during the session life in all forms you have in your application.

(如果您没有random_bytes()，请使用 random_compat 进行填充).

(If you don't have random_bytes(), use random_compat to polyfill it.)

这篇关于CSRF代币与Nonce混淆-它们相同吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！