在同一台计算机上的两个选项卡中打开同一页面时的CSRF令牌值? [英] CSRF token value when same page is opened in two tabs on same machine?
问题描述
据我了解,当在服务器端启用CSRF时,服务器会创建一个令牌(例如token1)并将其注入到 form 中,并将其保存在客户端浏览器的cookie中.当客户端向服务器发送 form 请求时,客户端会从浏览器cookie中发送csrf令牌(token1),并发送与 form 中相同的令牌.服务器通过检查cookie中的令牌和 form 中的令牌是否匹配来验证请求,然后处理该请求.
From my understanding, when CSRF is enabled on server side, the server creates a token (say token1) and injects it in to the form and saves the same in the cookie of the client browser.
When the client sends the form request to the server, it sends the csrf token (token1) from browser cookie and also send the same token as in the form. The server validates the request by checking that the token in cookie and the token in form match and then processes the request.
现在,如果我在另一个选项卡中打开相同的 form ,服务器将生成另一个令牌(token2)并将其注入到 form 和cookie中.然后,在Cookie中的 token1 将被 token2 覆盖.因此,在这种情况下,无法在第一个标签中提交表单?但是从经验来看,我发现选项卡1中的 form 提交仍然可以成功.
Now, if i open the same form in another tab, will the server generate another token (token2) and inject it in to the form and cookie. Then, in the cookie, token1 will be overwritten by token2. So the submission of the form in first tab will not work in this case? But from experience i see that the submission of form in tab 1 still succeeds.
那么有人可以解释一下在上述情况下它是如何成功的吗?
So can some one explain how it's succeeding in the above scenario??
推荐答案
既然您已经添加了Spring Security标签,我将描述Spring Security如何使用同步令牌模式来防御CSRF攻击.
Since you have added the Spring Security tag, I will describe how Spring Security uses the Synchronizer Token Pattern to protect against CSRF attacks.
服务器创建一个令牌(例如token1)并将其注入到表单中,并将其保存在客户端浏览器的cookie中.
the server creates a token (say token1) and injects it in to the form and saves the same in the cookie of the client browser.
这不完全是什么情况.服务器将创建一个CSRF令牌(token1)并将该令牌存储在HttpSession中.CSRF令牌(token1)也以客户端形式嵌入.还会为客户端提供一个会话ID(session-id1),该ID存储在cookie中.
That's not exactly what happens. The server will create a CSRF token (token1) and store that token in the HttpSession. The CSRF token (token1) is also be embedded in the form on the client side. The client is also given a Session ID (session-id1) which is stored in a cookie.
当客户端提交表单时,它将发送令牌1和会话ID1.然后,服务器将使用session-id1查找HttpSession并获取该会话的预期CSRF令牌.它将预期的CSRF令牌与token1进行比较,如果值不匹配,则HTTP请求将被拒绝.
When the client submits the form, it sends token1 and session-id1. The server will then use session-id1 to look up the HttpSession and get the expected CSRF token for that session. It will compare the expected CSRF token to token1 and if the values do not match, the HTTP request will be rejected.
如果在另一个选项卡中打开相同的表单,浏览器仍然可以访问会话ID(session-id1).该表单将获得与session-id1关联的相同令牌(token1).
If you open the same form in another tab, the browser will still have access to the Session ID (session-id1). That form will get the same token (token1) that was associated with session-id1.
最后,两个选项卡中仅使用一个CSRF令牌(令牌1).
In the end, there is only one CSRF token (token1) that is used in both tabs.
您可以在 查看全文
