为什么 codeigniter2 不以更安全的方式存储 csrf_hash,例如会话? [英] Why codeigniter2 doesn't store the csrf_hash in a more secure way, such as session?
问题描述
为什么生成的 CSRF 保护令牌没有像建议的那样通过 SESSION 保存和使用 这里?目前在 CI2 中,CSRF 保护机制(在 Security 类中)是这样的:
Why generated CSRF protection token is not saved and used via SESSION like suggested here? Currently in CI2, the CSRF protection mechanism (in Security class) is such:
1.在_csrf_set_hash()函数中为CSRF token生成唯一值:
1.generate a unique value for CSRF token in _csrf_set_hash() function:
$this->csrf_hash = md5(uniqid(rand(), TRUE));
2.将该令牌插入表单隐藏字段(使用 form_open 助手)
2.Insert that token into form hidden field (using form_open helper)
3. 用户提交表单,服务器通过 POST 获取令牌.CI 在 Input 类中的_sanitize_globals()"函数中执行令牌验证:
3.A user submits the form and a server gets the token via POST. The CI performs token verification in "_sanitize_globals()" function in Input class:
$this->security->csrf_verify();
4.Security类的函数"csrf_verify"只是检查是否设置了POST['token']并且POST['token']等于COOKIE['token'];
4.The function "csrf_verify" of Security class just checks is POST['token'] set and is POST['token'] equal to COOKIE['token'];
public function csrf_verify(){
// If no POST data exists we will set the CSRF cookie
if (count($_POST) == 0)
{
return $this->csrf_set_cookie();
}
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name]) OR
! isset($_COOKIE[$this->_csrf_cookie_name]))
{
$this->csrf_show_error();
}
// Do the tokens match?
if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
{
$this->csrf_show_error();
}
// We kill this since we're done and we don't want to
// polute the _POST array
unset($_POST[$this->_csrf_token_name]);
// Nothing should last forever
unset($_COOKIE[$this->_csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();
log_message('debug', "CSRF token verified ");
return $this;
}
为什么不在会话中存储令牌?恕我直言,仅检查 POST['token'] 非空且等于 COOKIE['token'] 是不够的,因为两者都可能是由邪恶站点发送的.
Why not to store token in session? IMHO just checking is POST['token'] non-empty and is equal to COOKIE['token'] is not sufficient because both might be sent by an evil site.
推荐答案
在 CodeIgniter 中,他们不会在代码的任何地方使用原生 PHP 会话.
In CodeIgniter, they don't use native PHP sessions anywhere in the code.
您提供的示例是使用本机 PHP 会话显示的.
The example you provided is shown using native PHP sessions.
在使用 CodeIgniter Session 类时,要么:通过 cookie 存储数据,要么将它们存储在数据库中.[参考:http://codeigniter.com/user_guide/libraries/sessions.html]
While using CodeIgniter Session class, there's either: store data via cookies, or store them in database. [ reference: http://codeigniter.com/user_guide/libraries/sessions.html ]
在检查 csrf 数据时,每次都检查数据库没有意义,将它们存储在 cookie 中是合理的.
While checking for csrf data, it wouldn't make sense to check the database every time, it would be plausible to store them in the cookies.
我认为它通常是安全的,但是这种方法存在一些漏洞.也许使用服务器端密钥对其进行加密可能有助于提高安全性...
I think it's generally safe, but there are some windows of vulnerability with this method. Perhaps encrypting it with server side key might help increase the security...
https://code.djangoproject.com/wiki/CsrfProtection#Sessionindependentnonce
根据文章,它说具有会话独立随机数的 CSRF 保护(由 CodeIgniter 使用)存在 CSRF + MITM 攻击的漏洞(中间人):
According to the article, it says that CSRF Protection with Session independent nonce (used by CodeIgniter) has a vulnerability to CSRF + MITM Attack (Man-in-the-Middle):
攻击者可以使用Set-Cookie设置CSRF cookie,然后提供POST 表单数据中的匹配标记.由于网站不绑定会话 cookie 到 CSRF cookie,它无法确定CSRF 令牌 + cookie 是真实的(对其中之一进行散列等)它们将不起作用,因为攻击者只能从直接站点,并在攻击中使用该对).
The attacker can set the CSRF cookie using Set-Cookie, and then supply a matching token in the POST form data. Since the site does not tie the session cookies to the CSRF cookies, it has no way of determining that the CSRF token + cookie are genuine (doing hashing etc. of one of them will not work, as the attacker can just get a valid pair from the site directly, and use that pair in the attack).
差不多,函数csrf_verify()只检查cookie和输入的POST是否是相等,两者都可以通过简单的 javascript 创建.如果您非常重视安全性,就应该三思而后行.
Pretty much, the function csrf_verify() only checks whether the cookie and input POST is equal, which both can be created through simple javascript. You should think twice about using this if you are serious about security.
这篇关于为什么 codeigniter2 不以更安全的方式存储 csrf_hash,例如会话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
