Codeigniter CSRF - 它是如何工作的 [英] Codeigniter CSRF - how does it work

问题描述

最近我发现了 CSRF 攻击，并且很高兴地发现 CSRF 保护被添加到 Codeigniter v 2.0.0.

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

我启用了该功能，并看到在表单中添加了一个带有令牌的隐藏输入，我假设它也将令牌存储在会话中.在 POST 请求中，CI 是自动比较令牌还是我必须手动比较?

I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?

推荐答案

只有在使用 form_open() 函数时，CSRF 令牌才会作为隐藏输入添加到表单中.

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

具有 CSRF 令牌值的 cookie 由 Security 类创建，并在必要时为每个请求重新生成.

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

如果 $_POST 数据存在，则输入类会自动验证 cookie.如果发布的令牌与 cookie 的值不匹配，CI 将显示错误并且无法处理 $_POST 数据.

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

所以基本上，这都是自动的——你所要做的就是在你的 $config['csrf_protection'] 中启用它并使用 form_open() 函数为你的形式.

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

我发现的一篇很好的文章解释得很好:https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

A good article I found that explains it very well: https://beheist.com/blog/csrf-protection-in-codeigniter-2-0-a-closer-look.html

这篇关于Codeigniter CSRF - 它是如何工作的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！