如何提供更多安全性来检查请求源 [英] How do I provide more security for checking source of the request

问题描述

我正在开发一个PHP Web应用程序，我想为应用程序提供更高的安全性，以使任何人都无法轻易破坏该功能.

I am developing one PHP web application, I want to provide more security to application so that no one can easily break the functionality.

关于我的问题的简要说明: 在一个模块中，有一个阶段我要检查请求的来源(此请求来自何处)

Brief explanation about my problem : In one module there is one stage where I am checking the source of the request ( from where this request is coming from )

当前，我正在使用HTTP_REFERRER变量(在php中可用).我正在使用一个特定的URL(例如 http://www.example.com/test)检查此变量值. php ).如果存在完全匹配，则只有我要采取进一步的措施.

Currently, I am using HTTP_REFERRER variable ( available in php ). I am checking this variable value with one specific URL (e.g. http://www.example.com/test.php ). If exact match exist then only I am calling further actions.

我对上面的方法感到困惑，我应该使用HTTP_REFERRER还是检查IP地址(有效请求，如果它来自任何特定IP地址)?

I am bit confused with above approach, whether should i use HTTP_REFERRER or check with IP address( valid request if it is coming from any specific IP address )?

我还想知道提供安全性的更好方法.

I also want to know better approaches for providing security.

有人有主意然后分享?

预先感谢

推荐答案

网络安全性第一课: 永远不要相信用户输入.当我说永不，我的意思是永不. ;)在PHP中包含HTTP_REFER变量，该变量很容易被http标头破坏(来源:

Lesson #1 in web security: NEVER trust user input. And when I say never, I mean never. ;) Including the HTTP_REFER var in PHP which is easily compromised with an http header (source: http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se)

检查来源的一种可能解决方案是使用表单令牌(csrf保护):

A possible solution in checking the source is the using a form token (csrf protection): http://www.thespanner.co.uk/2007/04/12/one-time-form-tokens/ but isn't that safe either and is only possible with your own source.

一个简单的CSRF(跨站点请求伪造)保护示例:(因此很简单.有关更安全/可靠的解决方案，请参阅The Rook的答案)

A simple CSRF (cross-site request forgery) protection example: (Hence the simple. For a more safe/robust solution, refer to the answer of The Rook)

1)在表单页面中，创建某种令牌并将其放入会话和隐藏的表单字段中:

1) In your form page, create some kind of token and put in your session and in a hidden form field:

<?php
    session_start();
    $csrfToken = md5(uniqid(mt_rand(),true)); // Token generation updated, as suggested by The Rook. Thanks!

    $_SESSION['csrfToken'] = $token;
?>
<form action="formHandler.php">
   <input type="hidden" name="csrfKey" value="<?php echo $csrfToken ?>" />
</form>

2)在表单处理程序中，检查令牌是否有效.

2) In your form handler check if the token is valid.

<?php
   session_start();
   if($_POST['csrfKey'] != $_SESSION['csrfKey']) {
      die("Unauthorized source!");
   }
?>

这篇关于如何提供更多安全性来检查请求源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！