CSRF令牌-如何正确实施？ [英] CSRF tokens - how to implement properly?

问题描述

我刚刚在应用程序中设置了一个简单的CSRF保护。

I've just setup a simple CSRF protection in my application. It creates a unique crumb which are validated against a session value upon submitting a form.

不幸的是，这意味着我现在不能保留多个实例（浏览器中的选项卡） CSRF屑相互碰撞时，我的应用程序同时打开。

Unfortunately this means now that I can't keep multiple instances (tabs in the browser) of my application open simultaneously as the CSRF crumbs collide with each other.

我应该为每个实际表单创建一个单独的令牌还是为我的所有表单使用一个共同的共享屑？
这是什么常识？

Should I create an individual token for each actual form or use a mutual, shared crumb for all my forms? What are common sense here?

推荐答案

您可以执行任何一项操作。这取决于您想要的安全级别。

You can do either. It depends on the level of security you want.

OWASP企业安全API（ESAPI）使用每个用户会话单个令牌方法。假设您没有XSS漏洞并且会话超时时间很短，那么这可能是一种非常有效的方法。如果您允许会话保持几天或几周的生命，那么这不是一个好方法。

The OWASP Enterprise Security API (ESAPI) uses the single token per user session method. That is probably a pretty effective method assuming you have no XSS holes and you have reasonably short session timeouts. If you allow sessions to stay alive for days or weeks, then this is not a good approach.

我个人并不认为很难为每个表单的每个实例使用不同的令牌。我将具有键值对的结构存储在用户的会话中。每个项目的键是表单的ID，值是包含令牌和该令牌的到期日期的另一个结构。通常，我只允许令牌生存10-20分钟，然后令牌过期。对于更长的表格，我可能会给它一个较长的到期时间。

Personally, I do not find it difficult to use a different token for each instance of each form. I store a structure in the user's session with key-value pairs. The key for each item is the ID of the form, the value is another structure that contain the token and an expiry date for that token. Typically I will only allow a token to live for 10-20 minutes, then it expires. For longer forms I may give it a long expiry time.

如果您希望能够在同一会话中的多个浏览器选项卡中支持相同的表单，那么我的方法将变得有些棘手，但仍然可以轻松实现唯一的表单ID。

If you want to be able to support the same form in multiple browser tabs in the same session, then my method becomes a little trickery but could still be easily done by having unique form IDs.

这篇关于CSRF令牌-如何正确实施？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！