CSRF验证令牌：会话ID安全吗？ [英] CSRF Validation Token: session id safe?

问题描述

在asp.net我实现一个IHttpModule的，以减轻CSRF攻击。它注入到反馈的HTML与asp.net的SessionID上获取一个隐藏的表单参数。在帖吧，然后进行检查，以确保隐藏的参数值当前的SessionID相匹配。据我所知，得到的SessionID值的唯一方法是从cookie，而不能读取或恶意站点来确定。有什么我可以俯瞰？

In asp.net I am implementing an IHttpModule to mitigate CSRF attacks. It injects into the response html a hidden form parameter with the asp.net SessionID on GETs. On POSTs it then checks to make sure that hidden parameter's value matches the current SessionID. As far as I know, the only way to get the SessionID value is from the cookie, which couldn't be read or determined by the malicious site. Is there anything I am overlooking?

推荐答案

这做法是正确的。你需要确保所有通过GET操作可采取的行动是安全（这是最好的做法是这样），因为你申请你的XSRF仅保护帖子。

This approach is correct. You need to make sure that all of the actions available via a GET operation are "safe" (which is best practice anyway), since you're applying your XSRF protection to POSTs only.

有关额外的保险，你可以用它变得太（通过添加URL参数所有链接，并在每一个GET请求检查），但它的麻烦了。

For extra insurance, you could use it on GETs too (by adding a URL parameter to all of your links, and checking for it in every GET request), but it's cumbersome.

如果你是偏执外，你可以选择替代ID不同的随机数。即使一个浏览器错误地使你的会话cookie访问一些敌对的Javascript在其他网站上，这将保护你。当创建一个会话，请选择另一个大随机数并将其存储在您的会话。

If you are extra paranoid, you can choose a different random number for the alternate ID. This would protect you even if a browser incorrectly makes your session cookie accessible to some hostile Javascript on another site. When a session is created, choose another big random number and store it in your session.

这篇关于CSRF验证令牌：会话ID安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！