在“登录/注册"表单中填充AntiForgeryToken是否有意义? [英] Does it make sense to populate an AntiForgeryToken in Login/Register forms?
问题描述
我希望我的问题不太简单,但是您知道涉及安全性时,我们都会对此表示怀疑.
由于在这两种情况(登录/注册)之前,我们没有登录用户(会话cookie),为什么还要麻烦以登录/注册形式使用AntiForgeryToken?
通常,您不需要.您正在谈论的攻击是跨站点请求伪造(CSRF).这种类型的攻击依赖于已登录的用户(如果您登录到站点A和站点B,并且站点A知道这一点,则他们可能会在其中放置html代码,从而导致访问站点B的请求看起来像这样)您启动了它,并可能导致执行敏感操作).这些攻击依赖于浏览器将会话cookie/令牌连同所有请求发送到有问题的站点(站点A包括对站点B的请求以执行操作X,这导致浏览器向站点B发送请求,因此包括所有cookie ,包括会话Cookie,将与该请求一起发送到网站B.
反CSRF令牌之所以起作用,是因为当您向客户端发送请求表单时,您会包含一个不可猜测的值,客户端必须将其发送回其操作请求.如果返回,则表明执行操作的请求源自发送给客户端的表单.如果没有返回,则该请求可能是伪造的,因此您应该忽略它.如果站点A上的代码导致请求发送到站点B,即使具有站点B的会话cookie,站点A上的代码也不知道要包含的反CSRF令牌值,因此伪造的请求将被拒绝./p>
因此,如果您要防范站点上的CSRF攻击,则需要以所有形式包含这些令牌,这些令牌可以启动敏感操作,以防止利用登录用户的伪造请求.对于未登录的用户来说,这种防御是无关紧要的,因为如果用户当前未登录,则另一个站点无法利用浏览器将发送带有所有请求的会话cookie/令牌这一事实.
I hope my question is not too simple, but you know when it comes to security, we all get skeptic.
Since before these two cases (login/registration), we don't have a logged-in user (a session cookie), Why would we bother having an AntiForgeryToken in login/register form?
Generally, you don't. The attack you're talking about is a Cross-Site Request Forgery (CSRF). This type of attack relies on a logged-in user (if you're logged in to site A and site B and site A knows this, they could put html code in that would cause a request to go to site B that would look like you initiated it and may cause for a sensitive action to be performed). These attacks rely on the browser sending the session cookie/token with all requests to the site in question (site A includes a request to site B to do action X, which causes the browser to send a request to site B, thus including all cookies, including session cookies, to be sent to site B with that request).
The anti-CSRF tokens work because when you send a request form to a client, you include an unguessable value that the client must send back with their action request. If it comes back, you know that the request for an action to be performed originated with a form you sent to the client. If it does not come back, the request may be forged, so you should ignore it. If code on site A caused a request to be sent to site B, even with the session cookie for site B, the code on site A would not know the anti-CSRF token value to include, so the faked request would be rejected.
So, if you are trying to guard against CSRF attacks on your site, you need to include these tokens in all forms that can initiate sensitive actions to prevent forged requests taking advantage of logged-in users. This defense is irrelevant for non-logged in users, as another site cannot take advantage of the fact that a browser would send the session cookie/token with all requests, if a user is not currently logged in.
这篇关于在“登录/注册"表单中填充AntiForgeryToken是否有意义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
