CSRF验证令牌:会话ID安全吗? [英] CSRF Validation Token: session id safe?
问题描述
在asp.net我实现一个IHttpModule的,以减轻CSRF攻击。它注入到反馈的HTML与asp.net的SessionID上获取一个隐藏的表单参数。在帖吧,然后进行检查,以确保隐藏的参数值当前的SessionID相匹配。据我所知,得到的SessionID值的唯一方法是从cookie,而不能读取或恶意站点来确定。有什么我可以俯瞰?
In asp.net I am implementing an IHttpModule to mitigate CSRF attacks. It injects into the response html a hidden form parameter with the asp.net SessionID on GETs. On POSTs it then checks to make sure that hidden parameter's value matches the current SessionID. As far as I know, the only way to get the SessionID value is from the cookie, which couldn't be read or determined by the malicious site. Is there anything I am overlooking?
推荐答案
这做法是正确的。你需要确保所有通过GET操作可采取的行动是安全(这是最好的做法是这样),因为你申请你的XSRF仅保护帖子。
This approach is correct. You need to make sure that all of the actions available via a GET operation are "safe" (which is best practice anyway), since you're applying your XSRF protection to POSTs only.
有关额外的保险,你可以用它变得太(通过添加URL参数所有链接,并在每一个GET请求检查),但它的麻烦了。
For extra insurance, you could use it on GETs too (by adding a URL parameter to all of your links, and checking for it in every GET request), but it's cumbersome.
如果你是偏执外,你可以选择替代ID不同的随机数。即使一个浏览器错误地使你的会话cookie访问一些敌对的Javascript在其他网站上,这将保护你。当创建一个会话,请选择另一个大随机数并将其存储在您的会话。
If you are extra paranoid, you can choose a different random number for the alternate ID. This would protect you even if a browser incorrectly makes your session cookie accessible to some hostile Javascript on another site. When a session is created, choose another big random number and store it in your session.
这篇关于CSRF验证令牌:会话ID安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!